I see some users are generating unsafe session ID. Purpose of change is
not to generate insecure ID when user want some prefix in session ID.
What's "insecure session ID" and how it is related to the matter we are
discussing?
If there is not a easy way to create secure session ID (Currently, we
don't), users may generate session ID by their own which may be insecure.
Simple question ... does it actually matter?
If a session id is simply used for navigating a visit to a site then as long as it works it's fine? If *I* am working with a secure site then I have another level of security via a VPN connection. As an intermediate for secure financial transactions, it's the service providers who dictate the security used?
Again we seem to be targeting things which are under rules which may be dictated by third party requirements, and third party tools such as ssh?