Weak session IDs can expose your users to having their
session hijacked. If your session IDs
are picked from a small range of values, an attacker only needs to probe
randomly chosen session IDs until they find a match.
You need to make sure your session IDs are unguessable, or else your
authentication scheme can be bypassed with relatively simple scripts.
Most modern frameworks implement secure session ID generation algorithms,
so this is a good argument for not inventing your own framework.
Session IDs need to be picked from a large address space (i.e. large
enough to make simple enumeration unworkable)
and unpredictable. If the generation algorithm is not securely random,
the attacker can narrow down the range of values needed in an enumeration