Rather than passing around lots and lots of data as hidden form fields all the time, I'm planning to extend Scott's Session object to support storing and retrieving of per-Session data. Issues with this: In a non-https environment, it would be rather easy to hijack a session by looking at a cache log. I could store the IP address, but this breaks many cache farms (where a session may come from different IP addresses... :( Is it better to store this in an SQL database, or in the session object itself? I want this to be preserved in the case where Zope restarts, which means I can't just use _v_object type variables. Storing it in the Session object itself means that the ZODB will grow at a stupid rate. Storing it in an SQL database means a bit of a performance hit. Has anyone already implemented something like this? Thoughts? Anthony