Quote Originally Posted by Ladon View Post
Because session IDs are 32 hex digit GUIDs with 2^128 possible combinations. Good luck finding an active one especially since the server isn't going to let you check them at any kind of reasonable rate.
my point is it's not impossible.

How long does it take 20 people, 50 people, 100 people trying this method from as many computers before hitting on 1 valid ID that doesn't belong to them. Are you suggesting that since it took so long to get one ID that it's ok? Is it fair to the person whose account they stole?

It shouldn't be possible at all.