On 6/13/02 11:04 AM, Rob Nagler wrote: >> With sessionID, you have an ID and information that is checksum'd. > > Sessions and user IDs are equivalent. They are called "credentials" > which allow access to a system. There's no fundamental difference > between hijacking a session or stealing a user id/password.
Well, given a user/pass, you can login form anywhere. Given a session that's tied to information like the remote IP, user agent, date, etc. etc., it's a lot harder to reuse that information to login from elsewhere. -John
