Hi, And now we are talking about XEP-0198, I think the security considerations should take some more situations in account for the session hijacking protection. When properly and securely authenticated, the authentication is enough protection against sesion hijacking. But when using SASL-Anonymous, the session id MUST be unpredictable AND the session MUST be encrypted, otherwise the session can be hijacked. Think it would be better to add that to the spec.
Winfried