> The only information in the cookie is the browser ID -- just a unique > key to retrieve the session data saved on the server. The key is NOT > cryptographically secure -- capturing the key would enable you to steal > a session if the application didn't check for that. This is intended, This raises an interesting question: How do you check in the application if section was stolen? -- Milos Prudek