Many Internet and Web applications use session identifiers. Too often, developers of those applications make the bad assumption that all is well because session identifiers are only known to authorized users. However, in ...