> That's also what I referred to when mentioning "SSL Session" - see, the > SSL layer in effect creates a session with the client, and one can thus > use this to do sessioning/sticking with - AT LEAST this works when you use > client certificates, but I'm not totally sure how this goes when there is > no client certificate. Still the browser and server has to do some > negotiation of what session key they'll use - and this is what I believed > was the key to session-keeping-aspect of SSL.
It works fine without client keys. Usually. :) Some browers don't reuse ssl session IDs. Also, you will still have the possibility of hopping servers when you switch from http to https, since you can't map from a cookie to an SSL session ID. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]