Chris McDonough writes: > The random element of the token is currently five characters. I may > need to "up" this. The secure cookie requirement is already reflected > in the use cases and in the current implementation. Anybody have any > other bright ideas about how to make session tokens harder to guess? Hash them as GUF does. Dieter