If a website uses short, predictable session IDs, we can hijack them with a script.
What do you think this script should do?
Correct! Your script will enumerate potential session IDs and then try to access the website with them.
Wouldn't the script have to do all of these things?