I'd be happier if this was conditional on emptySessionPath="true" (or otherwise could be disabled). Otherwise I have to trust that the browser doesn't have some JavaScript and/or IFrame bug that allows a Cookie to be sent.
I think it should be safe, but once in a while there's a vulnerability allowing javascript access to the cookie store (in IE ;) ). We can change that later once it is proven to be safe enough.
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]