improvements in session management?

[flatline <flatline () greyhat nl>]

Hi,

I was wondering if people have come up with new techniques to defeat 
against server side session/state management attacks since the last active 
thread on this topic.

My own webapps use what I think is so far the best (but far from perfect) 
solution against session id replay attacks. The idea was discussed some 
time ago on this list and it involves keeping a global session id (which is 
probably how all webapps operate), in conjunction with a per-request token. 
The request token is an id given out by the server, which has to be echoed 
back by the client on the next request it makes.

The server verifies the session id/request token, discards the current 
request token and generates a new one for the next request the client will 
make. Once the server encounters a valid session id in combination with an 
invalid request token, it knows the session has been subverted and 
invalidates it. This in fact creates a race condition between the attacker 
and the client/victim (whose session was stolen), which is AFAIK the only 
imperfection of this method.

My question to you is if anyone has come up with better ideas or 
improvements on this technique. I think this subject is far from resolved 
and needs closer inspection!

TIA,

/ flatline