IBM WebSphere Application Server 3.02 through 3.53 uses predictable session IDs for cookies, which allows remote attackers to gain privileges of WebSphere users via brute force guessing.
https://exchange.xforce.ibmcloud.com/vulnerabilities/7153
http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html