Generally, you don't. The easiest way to prevent session theft is to encode the stream, that is, use https.
Absolutely. Perhaps I misunderstood. You said that sessionid key is not cryptographically secure. Did you mean the Zope implementation in particular, or Cookie-based sessioning in general? I lack experience with cookie theft. My understanding is that a cookie theft is achieved either because server side was tricked by a third party to divulge the cookie *or* en-route ISP is simply listening and capturing HTTP traffic. In either case the third party can then set the cookie in his browser and finish the transaction that the original cookie owner started, and otherwise impersonate the cookie owner if this cookie persists between browser sessions. Is this correct?
This is not strictly true. You can invalidate the sessionid on the both server and client when the transaction is done and issue a new one.
So if I gather information from user on five screens and I use cookie to maintain information entered in previous screens, that's what sessioning is about, isn't it? Do you suggest that I should invalidate the cookie after each of these five screens and issue a new one? That would trash the data maintained in the original session (I'm using CST, CoreSessionTracking). -- Milos Prudek