On Thu, Jun 29, 2006 at 11:19:12AM -0700, Mike Orr wrote: > TurboGears signs the cookie using a hash. I don't understand how this > works, and the developer said he only did it because people insisted, > not because he thought it was more secure. But I can dig up the notes > and implementation if there's sufficient interest. Presumably this is to make the contents more random. If you numbered sessions as 1,2,3,4,..., I might set my browser to try different numbers as my session ID and see what I could find. (Especially for a high-value site like a bank!) If the sequential integer is hashed with some secret, it becomes much harder to guess another user's session ID. --amk