CWE-6 : J2EE Misconfiguration: Insufficient Session-ID Length
The J2EE application is configured to use an insufficient session ID length.
Related CAPEC definitions
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Please note that CWE definitions are provided as a quick reference only.
Visit http://cwe.mitre.org/ for a complete list of CWE entries
and for more details.