Generating Session IDs

In this lesson, we'll see how secure session IDs are generated.

Using incremental session IDs is a bad choice

It should go without saying, but your session IDs (often stored in cookies) should not resemble a known pattern or be generally guessable. Using an auto-incrementing sequence of integers as IDs would be a terrible choice, as an attacker could just log in, receive the session ID ...