Unless you 1) know how the session_var is generated on the other server side, or 2) collect enough legit session_vars to determin the method of generation (brute forcing it), there's no way of doing it, particularly if session_vars include time information in addition to userid and state.

I would also advice some potental caution given that you seem to be trying to go at an e-commerce site that is not yours; not only have courts ruled in favor of e-commerce sites to prevent 'bots' from collecting the same information but in a different display as with Ebay and meta-auction search engines, but I can see a whole host of other problems related to AUPs, the DMCA, and more in trying to decipher that session_var even for a legitamite use. One good example for your case: imagine if you could figure out the session_var structure, and it only stores the userid as a way to identify the user. Since you're playing with a shopping bag application, you could theorhetically maliciously fill any user on the site with goods they don't want via this remote script, and cause a lot of harm. I'm not implying that you're trying to do this here, but there's potental for abuse if your script got into the wrong hands.

Basically, I'd avoid trying to do anything automated with sites or scripts that involve finacle transactions in any way, as it could do more harm than good in the end.