From a892751e328d8d8eff894e85d64c04df76be4c34 Mon Sep 17 00:00:00 2001
From: Gregory Everett Brandon <36095842+gebbber@users.noreply.github.com>
Date: Sun, 26 Jan 2025 10:50:01 -0700
Subject: [PATCH] Update README.md

Clarified advantages to requiring signed cookies in addition to the use of a high-entropy session ID
---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 65a37e63..7c8ce7af 100644
--- a/README.md
+++ b/README.md
@@ -313,8 +313,10 @@ would best be a random set of characters. A best practice may include:
   - Periodic updates of the secret, while ensuring the previous secret is in the
     array.
 
-Using a secret that cannot be guessed will reduce the ability to hijack a session to
-only guessing the session ID (as determined by the `genid` option).
+Although primary session security is derived from the use of a high-entropy session
+ID, the additional use of signed cookies avoids needing to validate the contents of
+the cookie, and eliminates the need to implement rate limiting to avoid brute force
+attempts.
 
 Changing the secret value will invalidate all existing sessions. In order to rotate
 the secret without invalidating sessions, provide an array of secrets, with the new