Web application session handling is one of the most difficult things to do right. As we move more and more towards standard web frameworks (django, rails, etc.) to handle the basic functionality of a custom web application, this becomes a smaller issue. Unfortunately, there are engineers and developers that insist on going it alone in this realm. There are also legacy applications that require backward compatibility and then there are just plain old out of date applications that still serve publicly.