After visiting your site, he opens up his browser debugger, and looks at the headers in the HTTP response. He notices that the Set-Cookie header includes a surprisingly small session ID.
Set-Cookie
Headers ▼ General Remote Address: 121.232.112.200:443 Request Method: GET Status Code: 200 OK ▶ Request Headers ▼ Response Headers Set-Cookie: session_id=142983010