This chapter needs to be broken into:
Session fundamentals - crypto - idle - etc
Session storage - client side storage - server side storage
Per-platform - simplify each section - add a J2EE and .NET section
Q: (Javier Fernandez-Sanguino) Should this chapter add a reference (in the "Protecting identifier section") to http://www.owasp.org/index.php/HTTPOnly ? Although not (yet) standard this is supported by all major browsers.