[angelbob]

"Leakable" in the sense that you can hand it to somebody else and they can actually use it.

A cookie is leakable because the client chooses to send it, so copying it to somebody else is really bad. A server-assigned per-connection ID is not leakable unless you can spoof the IP address of the one you're sending as.

[jvdongen]

In principle you could already achieve that by binding a session (and corresponding cookie) to the client's IP address. No big deal.

Problem you may have is that some clients are behind proxy farms and can arrive with different source IP addresses within the scope of a single session.

If you do not bind the 'server-assigned-per-connection ID' to an IP address they become just as 'leakable' as a session cookie.

[vidarh]

Doing server side IP checks is already easy, but in reality it can lead to massive amounts of user complaints when their sessions keep disappearing, because as it turns out, some user segments have a lot of users coming through proxies where each request is not guaranteed to come from the same IP.

[eli]

Or their mobile device roams from WiFi to cell data.

I suspect anyone suggesting that an IP be part of the session security has never actually tried it on a large scale.

[angelbob]

Sure. It'd be nice to have some kind of actual standard to at least make a good best guess here. Cookies are a really, really bad start.

[ay]

Then a translation device at carrier assigns the client a different address. I heard first-hand that this is very annoying.