The main problem when an application uses just one ID to track the session is that this ID can be used to steal the session. For example, if you use the Burp Suite Proxy tool, you can intercept the request where the session ID is sent. This session ID is created just for one user. For example, see the following request:
GET /login.php HTTP/1.1 Host: 192.168.1.67 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: HPSESSID=784uaocq9lb6uthqcc259imks1 Upgrade-Insecure-Requests: 1
Now, using another browser but passing the traffic to Burp Suite, open a new session with another user, as follows:
GET /login.php HTTP/1.1 Host: 192.168.1.67 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: HPSESSID=784uaocq9lb234dsfcc259imk23 Upgrade-Insecure-Requests: 1
To confirm if it is possible to steal the session, send a request using the second session established, but change the HPSESSID value from the first user. If the application shows the information of the first user, this application is vulnerable.