> > Does it make sense if we impose that the in cookie session can be > enabled only on SSL session? >
I assume the cookie is cryptographically signed so it can't be modified, so SSL shouldn't be necessary (though could optionally be turned on for additional protection to keep the contents private). > Could we also leverage the browser local store as an option? > How would the server access the session then? Anthony
