Session Hijacking - Predictable Session IDs

This application has a critical session management vulnerability:

• Session IDs are predictable sequential numbers
• Sessions are not bound to IP address or user agent
• There's no session validation beyond checking if the ID exists

An admin user logged in a few minutes ago. Your goal is to hijack their session by guessing their session ID and accessing their secret data.

Learning Objective: Understand why session IDs must be cryptographically random and why additional session binding is important.