Session management mechanisms are often vulnerable to attack because tokens are generated in an unsafe manner that enables an attacker to identify the values of tokens that have been issued to other users.
There are numerous locations where an application's security depends on the unpredictability of tokens it generates. Here are some examples:
The considerations in this chapter relating to weaknesses in token generation apply to all these cases. In fact, because many of today's applications rely on mature platform mechanisms to generate session tokens, it is often in these other areas of functionality that exploitable weaknesses in token generation are found.
Some session tokens are created using a transformation of the user's username or e-mail address, or other information associated with that person. This infor-mation may be encoded or obfuscated in some way and may be combined with other data.
For example, the following ...