I've developed a website which has a secure logon, and utilising SSL. 

Currently the way I maintain a state, is using the SessionID - I do not 

store objects or data directly in the Session object, but have a server 

side session table held on SQL linked via sessionID. The data held in this 

table is also encrypted. My main question is, is using the SessionID to 

provide a link between user and server secure? I've read stuff briefly on 

Session cookie hijacking etc. The fact that I validate my users within 

each function (in vb COM) against the SessionID, I would like to know if 

using this is secure. If not I presume generating a session token on 

website entry and holding it in the querystring is the best way. 



thanks in advance