Burp Suite's Sequencer performs different statistical analyses on large amounts of session identifiers (or whatever piece of information from a response we provide to it) to determine whether such data is being randomly generated or whether there may be a predictable pattern that may allow an attacker to generate a valid ID and hijack a session with it.

First, we analyzed a complex session cookie composed by a data structure encoded using the base64 algorithm and what seems to be an SHA-1 hash. We can tell that the first part is base64-encoded because it contains lowercase and uppercase letters, numbers, may also contain a plus symbol (+) or a slash (/), and it also ends in %3D, which is the URL escape sequence for =, a string terminator in base64. We say the second part of the cookie is an SHA-1 hash because it is a hexadecimal string of 40 digits; each hexadecimal digit represents 4 bits, and 4 bits * 40 digits = 160 bits; and SHA-1 is the most popular 160-bit hashing algorithm.

Then, we analyzed a weakly generated session ID. It's rather obvious that it is incremental, since in decimal numbers, the digit in the rightmost position changes ten times more frequently than its closest left-hand neighbor. The second part of the ID, based on its length and most significant digits, suggests a Unix timestamp (https://en.wikipedia.org/wiki/Unix_time).