> When you set your own session_id, does the corresponding session file always > exist? Yes, it does. I'm sure..
> If that's not an issue, you could try setting response.session_new = False > before calling session.connect I already tried that, and then it does work. The problem we are running into is exactly this: The response.session_new = True, and is never reset. (I guess it should do that). > Doesn't creating a session id based on the request url open up a session to > hijacking? The sessions are created by web2py as usual, in the request we only add a hash to find the session back (in our case the client might have no cookies). Internally we do also check the ip to avoid session hijacking. What is stored on the disk are the normal web2py sessions. In case that a client supports cookies it all works the normal way. In case there are no cookies, we use the hash from the url to set the session (using session.connect())