Session ID Guessing Simulator

Welcome to the Session ID Guessing Simulator! This tool simulates how an attacker might attempt to guess session IDs of users on a web application. You can adjust various parameters to see how the number of guesses and time required change under different conditions.

Configure Simulation Parameters

The number of bits (B) defines how many possible session IDs exist (2^B). More bits make guessing harder.

The total number of possible session IDs is: 16


This represents how many valid session IDs are currently in use. The attacker’s goal is to guess one of these.


If provided, we will estimate how long it might take to guess a valid session ID.

Select Session ID Method

Session ID selection method:

More about Dynamic Sessions

With dynamic session IDs, the valid session IDs change after every guess. This simulates users logging in and out frequently.

More about Static Sessions

With static session IDs, the valid session IDs do not change. This simulates long-lasting session IDs, like API keys.

Select Guessing Strategy

Guessing strategy:

Each guess is chosen randomly. In static mode, random guessing may repeat and be less efficient.

Incremental guessing avoids repeat guesses in static mode and improves efficiency.

Decremental guessing also avoids repeats in static mode, making it more efficient.

Expected Guesses/Duration:

Values: B = , S = , A =
Expected Guesses Formula:
Expected Guesses: - guesses

Run Simulation:

More trials give more accurate results but take longer.

Progress: 0%

Simulation Results:

Average guesses until first success: -

What this means: With the current setup, an attacker would need to make - guesses on average to guess a valid session ID.

Average duration until first success: -