There seems to be some confusion over exactly what we're talking about... Apache::Session may work fine for creating a unique session ID, however this thread has really been about how to ensure that a session hasn't been hijacked. People have been suggesting various bits of info they could get from the client (IP, User Agent) and set in the cookie, thereby ensuring that the cookie is coming back from the client to whom they sent it.
There isn't anything you can use that will work 100%. The only way you can ensure that your cookies aren't being hijacked is to only send them over an SSL connection. > From: Jon Robison <[EMAIL PROTECTED]> > Date: Mon, 19 Nov 2001 10:47:33 -0500 > To: "Randal L. Schwartz" <[EMAIL PROTECTED]> > Cc: fliptop <[EMAIL PROTECTED]>, "Jonathan E. Paton" > <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: Doing Authorization using mod_perl from a programmers perspective > > How about using an Apache::Sessions id instead of IP address?