On 12/2/05, Mike Orr <[EMAIL PROTECTED]> wrote: > > On 12/1/05, Jeff Watkins <[EMAIL PROTECTED]> wrote: > > You're unlikely to need to worry about someone spoofing an identity cookie. > > This means it's unlikely that someone would be able to generate a valid > > identity cookie. > > Can the identity cookie be used as a session identifier too then? Or > can a session identifier be put into it?
That could conveniently be done with, um, "p"''s suggested approach. We could unify the cookie by having a single unit that keeps track of the identity and session ID info. Kevin
