
On Securing Web Session Ids - jessaustin
http://hueniverse.com/2015/07/08/on-securing-web-session-ids/
======
danielmiessler
I think this might be overcomplicating things. Why not just a secret to create
the valid sessionID in the first place? Why have it as a separate process if
you already have the ability to mix in a secret?

