That’s always the case for any kind of encryption system. If your state of the machine is replicated elsewhere, no one can prevent the hacker from stealing your data, as for the server, the session is still associated with the original user. A good way to add security measure is to locate the IP address of user currently logged in and notify if the IP address is changed for the next request, but no one does that. The best way is to protect your machine and only use HTTPS-enabled websites.