I'm trying to understand how session based cookies which come from the client are then validated by the server. For context this is my high level understanding:
For authentication I know that there are 2 approaches, sessions and tokens.
Token authentication is typically a JWT signed with a private key. Using this key the server can validate that the user ID (or whatever) is genuine.
For session based, when a user logs in a unique ID is created on the server and passed to the client and stored as a cookie. Then for each request from the client the cookie is the part of the header and the server can look up the ID to know who the client is.
My question is how does the server know this ID is genuine? Could a malicious client just try their luck with different IDs until one worked?
