> But for most realistic scenarios, sessionid theft is not critical and > probably not even exploitable, provided the attacker cannot sniff all > traffic between server and client. Jim, this was a tremendously useful explanation written in easy to understand way. Thank you very much indeed! -- Milos Prudek