I don't understand.  When you say "key", do you mean the session id (which
is read in from the cookie)?

If so, yes, that should be tainted, which I guess would taint the session
data... is that what you're saying?

Huh... then I guess you wouldn't want to untaint the session data until you
have verified that the session id was valid (like checking remote ip and
port are the same as last time, and session hasn't timed out, etc).

Well, that's a very good point.


----- Original Message -----
From: "Patrick May" <patrick-may / monmouth.com>

The session data is not external, but the _key_ is.  I don't know how
this changes the discussion, but it seems important to me.

~ Patrick