Java uses UUID version 4 which has 122 bits of randomness built into the 128 bit UUID which is not guessable, multiply the 122 bits by 4 since I'm concatenating them + stripping dashes and then also take into account that if you send an incorrect UUID for a certain username, all UUIDs for that username is invalidated (although I only allow one UUID per username to be active at any time), if you try multiple times, your IP gets blocked.
So in practice, if you guess the UUID incorrectly the first time, you invalidate all other valid UUIDs in any case, if you try a second and third time or tamper in any way with some of the other data in the cookie (you won't have any success in any case since the UUID has already been invalidated during the first attempt), your IP gets blacklisted and you will simply get the same response (login: true, access: false) over and over until your IP is removed from the blacklist again.
All of this is going via SSL, so only you, once you have logged in, will be able to see the UUID, any attempt to tamper with the UUID blocks your IP and any attempt to guess someone's UUID will log them out invalidating the UUID followed by blacklisting your IP if you continue trying. Guessing the concatenated UUID is like guessing a 64 character password which is randomised by Java every time you log in of which you only have one shot.
To me the Java implementation sounds pretty secure, I can't speak for other languages though.
Have a look here, as you can see in the source code snippet, Java uses SecureRandom to generate the random bits: stackoverflow.com/questions/7532807/are-java-rand…
Maybe I'll start a topic on GUID security, then we can peek into which languages do it securely and which ones don't.