Any indication of a release of 3.2 in the wind or is it likely to go through
some more beta phases?
A couple of notes that relate to the way Tomcat itself does this:
* As of version 3.2, the algorithm used to calculate the next session ID
has been made *much* harder to calculate the next session ID value.
Of course, nothing stops a snooper from swiping the session ID of a
current session unless you are running across an encrypted connection
(see more below on this topic).