On Mon, Apr 29, 2002 at 12:37:14PM -0600, Jonathan Corbet wrote:
> It need not be in the cookie itself...especially that it's *now* available
> in the session object.

I think I've figured out why session cookies should be pure random
numbers.  You can't trust anything the client gives you (sometimes you
don't care if they lie; for example, default user names).  Important
state must be stored on the server side.  I think storing information in
the cookie has the potential to mislead people.  For the IP address case
it works because you are really storing that information in the keys of
the session manager dictionary.  Using a purely random session cookie is
clearer, IMHO.

  Neil