A session ID must be unique and should be hard to guess. That’s why in most cases session IDs are simply long, randomly generated numbers. However, not every developer uses secure, renowned session management libraries. Some decide to generate session IDs themselves and don’t do it too well session prediction attacks are, in general, all attacks that attempt to guess a valid session ID (of any user) on the basis of how such IDs are generated. For example, a developer might decide to use a base64-encoded Epoch time as a session identifier. Therefore, a valid session ID would look like MTU4MDMwMDE1OQ==. If the attacker figures out this algorithm, they can attempt to guess a valid session token by trying different Epochs and base64-encoding them.