If a website uses short, predictable session IDs, we can hijack them with a script.

What do you think this script should do?

Generate potential session IDsTest generated session IDsFind and log valid session IDs

Correct! Your script will enumerate potential session IDs and then try to access the website with them.

Wouldn't the script have to do all of these things?