[Zope] security

[sam]

Besides the AUTHORIZED_USER field in the http header what else does zope use to identify
an http packet from a browser ?.  I am just wondering can I not masquerade as a user by setting 
the http header using httplib or some such utility ?. I have not seen any session ids in the REQUEST
variable which is supposed to contain all the variables in the browser request

thanks
sathya
-- 
##########################
 necessity is the 
mother of invention
##########################