Write a program that connects to the page of your guestbook and stores the Session ID. (you can also do it directly using a telnet and noting the Session ID).
On your HTTPS server, creates a new page (it plays the role the web page of the attacker).
This page contains only a Hello World and a reference to an external resource (image, javascript, ...).
In reality, this reference points to the homepage of your guestbook and contains the session ID stored in the previous step.
Write another program keeping your session alive. (sends regularly requests containing the session ID to the server).
Your program should send an alert when the user has been logged-in (for doing this, you have to look at a sentence that does not appear in the guestbook page normally).