Insecure Ids - Need explanation

[susam_pal () yahoo co in]

This is an extract from OWASP.

Insecure Id’s – Most web sites use some form of id, key, or index as a way to reference users, roles, content, objects, 
or functions. If an attacker can guess these id’s, and the supplied values are not validated to ensure the are 
authorized for the current user, the attacker can exercise the access control scheme freely to see what they can 
access. Web applications should not rely on the secrecy of any id’s for protection. 

=================================================
Can anyone please elaborate this part,

"If an attacker can guess these id’s, and the supplied values are not validated to ensure the are authorized for the 
current user, the attacker can exercise the access control scheme freely to see what they can access."

I have never used such ids, indexes or keys when I developed authentication systems to reference users or roles. What 
kind of ids or keys are we talking about? How can an attacker use a guessed id?

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------