An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. To stop this from happening, you need to configure the Identity Server to use SSL. For configuration information, see Configuring Secure Communication on the Identity Server
in the NetIQ Access Manager 3.2 SP3 Setup Guide and Securing the Identity Server Cookie
in the NetIQ Access Manager 3.2 SP3 Identity Server Guide.