Mal plugs one of these IDs into his browser, and voila, he has hijacked somebody's session.
Headers ▼ General Remote Address: 121.232.112.200:443 Request Method: GET Status Code: 200 OK ▶ Request Headers ▼ Response Headers Set-Cookie: session_id=41293