i am researching session hijacking, so far i have read this line of code 5 times (or variations of it)
Code PHP:
<?php
 
  $token = md5(uniqid(rand(), TRUE)) ;
  $_SESSION['token'] = $token;
 
?>

the idea behind it seems that if i add a token (unpredictable value) to the session, that then a session hijacker that stole my session (cookie theft for example) will not be authenticated because his token is incorrect.

now as far as i understand, session data is stored within the server, and only the session id is stored on the client (usually in a cookie), so if this cookie is stolen, then the hijacker will automatically inherit the token rendering its (the token's) protection useless...

what am i missing here?!?!?