> Even with a 'randomly' generated session key, a malicious user can still > steal the session key of a active user. Is there an algorithm or > solution to this security risk? Well, I guess encryption (HTTPS) is the best answer. Is it the only answer?