Well, yes, I believe that when using HTTPS, stealing a cookie means access to the computer. But people let other people use their computer, or your laptop might get stolen, or you might forget to lock it when you go out for lunch.
Because of the premise that you need physical access to the computer to steal the cookie, you probably have bigger security problems. But I would still like to protect against this. I've been thinking about including some "start-of-session-timestamp" in the cookie, that *wouldn't* get updated on each request, and have a timelimit on the age of that timestamp. That way, a stolen cookie could only be used a limited amount of time. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3060325
