> I can forge my servserside session id for session hijacking. This is what I understood.
Forge this. For each session:
session_id = bin2hex(random_bytes(32))
Yes, you can change what you send to the server. But you can't hijack another user's session in this probability space (2^-256) by blind guessing. Instead, you need another way to leak their credentials to hijack the session.