I am going to answer this to my best of abilities.But feel free to tell me if i miss something or to add anything
If someone has access to my computer , can they easily get my session
id by going to the browsers developer tools and taking a photo of the
session id with a phone, if the session id is passed in a cookie. eg.
in a java web app , the jsessionid is usually passed as a cookie (
sometimes even in the url ) They can then add that key-value pair to
the websites document cookie when they want it. ( assuming the session
is not expired yet) Am I missing something, is it so easy.
Absolutely they can simply go to console and write document.cookie to get saved cookie from any website and as long as those cookies correspond to a valid session.They can simply send those session identifiers in their browser request and hijack your session.
NOT JUST THAT
If an attacker has physical access they can also run a simple script to decrypt all the saved password on your google chrome browser.
If yes , why do browsers not employ not kind of security mechanisms so
that an attacker with physical access to the computer, is not able to
grab session id, or other important cookies through their developer
tools. You can't just get someone's password,even with access to the
computer. Chrome for example requires you to provide computer's
authentication credentials before you can view saved passwords. Why is
is similar authentication not required for cookies given that cookies
can many times contain temporary password (e.g. a session id )
Well for one its not possible.There are more ways to grab the cookies anyway.If you lockup developer tool you can simply intercept the request with a proxy and then grab the cookies from there.It is just not possible to hide it in a way that it even becomes hard for an attacker.
At last the thumb rule is
IF AN ATTACKER HAS PHYSICAL ACCESS TO YOUR SYSTEM,IT IS NOT YOUR SYSTEM ANYMORE.
also here is what google had to say about this
Chrome security tech lead, has responded to internet chatter on the
topic, saying that once past the OS login stage, someone can
theoretically find your passwords and all manner of other browser info
out anyway, using various underhand means