Session cookie is not randomized enough
Numerous applications use a session cookie to maintain the state of a logged in user. The use of authentication to validate the user that has logged in is very common and most testers would focus on that aspect of the security. But a malicious user will look towards the session cookie itself to see how he/she could gain authorized access to the application. The session cookie must have very good algorithm to generate the randomness of the session cookie.

Malicious black hat hackers will use tools to determine what the randomness of the session cookie is. This is very easy to do and see if there is a logical pattern to assigning session cookies. If the developer of the application does not use enough randomness to generate the session cookie, there is no need to even have authentication. A random session cookie is vital to the application, without a properly randomized session cookie, a malicious user can and will walk all over the application.

Session cookie does not expire
If a session cookie does not expire then technically it could last…. forever. This means that a malicious black hat could steal a cookie via a XSS vulnerability or another type of man in the middle attack and use that session cookie to hijack your account. Additionally if there is not enough randomness and you can predict a session cookie that does not expire, well you can imagine the problems there.

Any session cookie that is used, must have an expiration time. Typically the expiration time starts counting down as soon as the web browser has been idle. And will expire if the web browser session has been idle for too long. Additionally the session cookie should also expire after a pre-determined time. No one wants a session cookie maintained forever just because a browser session is active.