An attacker uses leaks or flaws in the authentication or session management functions (e.g., session IDs) to impersonate users.
Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
There are vulnerabilities if:
1) User authentication credentials aren’t protected when stored using hashing or encryption.
2) Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change the password, and recover a password, weak session IDs).
3) Session IDs are exposed in the URL.
4) Session IDs are vulnerable to session fixation attacks.
5) Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
6) Session IDs aren’t rotated after successful login.
7) Passwords, session IDs, and other credentials are sent over unencrypted connections.
The overall quality of randomness within the sample is estimated to be: extremely poor. At a significance level of 1%. The amount of effective entropy is estimated to be: 0 bits.
It is necessary to make sure that your session IDs are unpredictable or else it may possible to bypass authentication scheme.