Predictable Session ID


The application uses a predictable session ID. Session IDs are how the application tracks users across page requests per HTTP state management as defined in RFC 6265.  If the method of generating session IDs is predictable, attackers can predict future IDs and use them to gain access to valid user sessions.


Attackers who can predict session IDs can hijack sessions for multiple users and gain access to their accounts. Once an attacker hijacks a session, they can gain access to sensitive or personal data and potentially change the account password in order to establish longer term access to the application.

Risk Rating


How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas



Subscribe here in order to gain access to the AppSec Findings Database