Session data stays on the server, without direct access by an unauthorized third party.
One possibility to gain access to a particular session is session hijacking.
A session needs an ID. This ID is saved in a cookie by the user's browser. Another malicious user, in possession of the victim's computer, can simply copy this cookie to another machine and thus have access to the session opened by the victim. That is, this is a session hijack.
Browse through the site search: link
Another way to literally steal sessions is for an attacker to gain access to the server. An experienced attacker goes straight to obvious places where you can get valuable data. One of these locations is the folder where the sessions are saved. Many programmers save sensitive data without encryption, getting pure text. There it is papaya with sugar for a hacker to pick up passwords of hundreds or thousands of users.
In rough cases there are those who save up credit card details. Believe it or not, this absurdity happens.
obs: SSL does not increase security, it's indifferent to this case.