Quiz Entry - updated: 2026.06.26
Why is it a bad idea to generate session cookie values sequentially (sessionid=0000000001, 0000000002, …)?
If session IDs are predictable, an attacker who has any valid ID (their own) can guess everyone else's by incrementing — instantly hijacking other users' sessions.
The attack:
- Attacker logs in legitimately, gets
sessionid=0000000042. - Attacker swaps in
sessionid=0000000043— now they're the next person who logged in.0000000044is the one after that. And so on. - No password needed; the cookie is the authentication.
This is exactly the kind of A2 — Broken Authentication issue OWASP keeps in the top 10. Real session IDs must be:
- Cryptographically random — generated from a CSPRNG, not
time()or a counter. - Long enough to make brute-force infeasible — at least 128 bits of entropy (OWASP recommends ≥ 64 bits of effective entropy).
- Server-chosen — never accept a session ID the client supplied.
Tip: A simple check — open the dev tools, look at your session cookie, hit logout/login a few times. The values should look like random garbage. Anything with a visible pattern is a finding.