Brute forcing sucks.
No really it sucks lemons.
The whole idea behind security is not to keep people out but it keep people out long enough that they get bored, or you spot them breaking in. Also session cookies are something that is generated server side then given to the client, so the odds of you brute forcing one of these cookies that is in use at that given moment is unlikely to say the least.
It might be a good idea to consider the alternatives.
Target the box itself
This is a viable alternative, rather than targeting your effort at the website to try and find a vulnerability there, it might save you time and effort to go after an insecure box directly. Perhaps exploiting insecure password policies, or attacking more insecure services like FTP would yield better results
SQL
Oh SQL where do I start. Most of the world seems to be running you these days, and a large majority of website still don't sanitise input correctly. It might be a case you can do SQL injection on the username box, no hard work is needed you can either violate the SQL server or just get dumps of the database or even insert records into the database when you figure out the schema.
Social Engineering
Never ignore this aspect of security, humans have a price and you can buy anyone for the right amount. For this reason you could always pay him for admin access, pay him to set the password to something you know, trick him into revealing his password directly. Or get him to install compromised software on the box.
There are so many other possible attack vectors that this list could go on for a while, hence why I will keep it short and to the point. These should give you some ideas that when doing a pen test or an audit, its a good idea to keep an open mind about your target. Just remember the golden rule.
Keep things simple. Stupid.