TWiki extensions can set/get/clear session variables persistently per user session with the TWiki::Func API. The session variables can be manipulated with the SESSION_VARIABLE
In some cases it is desirable to hide extension specific session variables from the SESSION_VARIABLE variable. For example, the EmailTwoStepAuthContrib
needs to safely store the access code, so that it can't be highjacked by an intruder.
This small no-brainer enhancement: Session variable names starting with an underscore, such as _XYZ, can't be set/get/cleared using the SESSION_VARIABLE variable.