> > The problem is, that if you keep the same session id after you switch to > > https it is possible that somebody steals your secure session. > > Yes, of course. (Sometimes I miss the obvious.)
IMHO, HTTP session cannot do authentication. That is the job of SSL/TLS and client certificates. There is nothing in the session that can prevent "hostile takeover". I think that even HTTPS cannot guard against this. Unless server fixes Session-ID to Client-IP upon successful creation of session... Nix.
