Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.
Session poisoning was first discussed as a (potentially new) vulnerability class in the Full disclosure mailing list.
[1] Alla Bezroutchko inquired if "Session data pollution vulnerabilities in web applications" was a new problem in January 2006.
Alla Bezroutchko discusses examples observed in development forums, which allows writing to arbitrary session variables.
Note: Real-world examples of session poisoning in enabled by register_globals = on was publicly demonstrated in back in July 2001 article Serious security hole in Mambo Site Server version 3.0.X.