> In Section 6.1 ("Countermeasures" / "Use secrets"), you seem to
> concentrate on secrets that are explicitly stored in the server-side
> session record. But one can also use a secret that is computed on-the-fly:
>
> secret = SHA1(site_secret, session_id)
>
> or, in the absence of...
> In Section 6.1 ("Countermeasures" / "Use secrets"), you seem to
> concentrate on secrets that are explicitly stored in the server-side
> session record. But one can also use a secret that is computed on-the-fly:
>
> secret = SHA1(site_secret, session_id)
>
> or, in the absence of...
[ more ]