In this paper, we reveal such a weakness in an important e-commerce building block, the Java Servlets engine. Servlets generate a session-id token which consists of 128 hashed bits and must be unpredictable. Nevertheless, this paper demonstrates that this is not the case, and in fact it is...