Securing Session IDs

Weak session IDs can expose your users to having their session hijacked. If your session IDs are picked from a small range of values, an attacker only needs to probe randomly chosen session IDs until they find a match.

Risks

Prevalence
Rare
Rating prevelance on Rating prevelance on Rating prevelance on
Exploitability
Easy
Rating exploitability on Rating exploitability on Rating exploitability on
Impact
Devastating
Rating impact on Rating impact on Rating impact on

You need to make sure your session IDs are unguessable, or else your authentication scheme can be bypassed with relatively simple scripts. Most modern frameworks implement secure session ID generation algorithms, so this is a good argument for not inventing your own framework.

Session IDs need to be picked from a large address space (i.e. large enough to make simple enumeration unworkable) and unpredictable. If the generation algorithm is not securely random, the attacker can narrow down the range of values needed in an enumeration attack.