[Supermancho]

I can manipulate my cookies. I can forge my servserside session id for session hijacking. This is what I understood.

[CiPHPerCoder]

> I can forge my servserside session id for session hijacking. This is what I understood.

Forge this. For each session:

    session_id = bin2hex(random_bytes(32))

Yes, you can change what you send to the server. But you can't hijack another user's session in this probability space (2^-256) by blind guessing. Instead, you need another way to leak their credentials to hijack the session.

[cryptica]

I didn't think so detailed but yes. My point was more that if you look at any technology concept, you will find vulnerabilities if it is misused.