LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

Why is it a bad idea to generate session cookie values sequentially (sessionid=0000000001, 0000000002, …)?

If session IDs are predictable, an attacker who has any valid ID (their own) can guess everyone else's by incrementing — instantly hijacking other users' sessions.

The attack:

  1. Attacker logs in legitimately, gets sessionid=0000000042.
  2. Attacker swaps in sessionid=0000000043 — now they're the next person who logged in. 0000000044 is the one after that. And so on.
  3. No password needed; the cookie is the authentication.

This is exactly the kind of A2 — Broken Authentication issue OWASP keeps in the top 10. Real session IDs must be:

  • Cryptographically random — generated from a CSPRNG, not time() or a counter.
  • Long enough to make brute-force infeasible — at least 128 bits of entropy (OWASP recommends ≥ 64 bits of effective entropy).
  • Server-chosen — never accept a session ID the client supplied.

Tip: A simple check — open the dev tools, look at your session cookie, hit logout/login a few times. The values should look like random garbage. Anything with a visible pattern is a finding.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026