> Here we insert a session id on all requests, with Apache::Session whether > the request is for a static or dynamic page and have a TransHandler to strip > the session id and insert it into %ENV which seems to work for us. With this > approach we don't necessarily need cookies, but verifying if a user is who > the session was originally assigned to without a cookie is really > impossible. At least to me with the limited amount of brain time I have put > into it. Using some algorithm consisting of the end-users IP and some random > number is OK until users behind the same NAT device try to steal each others > session. Using the cookie is a way to verify that a user is the owner of the > session id.
Cookies are very easy to fake and modify on the client side. If you want to verify that a user is returning a session ID you sent him without modifying it you should use a MAC, like the ticket access stuff in the Eagle book. - Perrin
