* Paul Davis: > Do you have any examples of how other sites have protected against > this? Unless I'm missing something I don't see how this is specific to > Futon so surely someone else has some explicit documentation on how to > avoid such things.
The standard countermeasure puts session identifiers into URLs (sometimes they are called "form tokens", but this doesn't fit the context here). Upon login, the client could specify if it wants a session with or without form tokens.
