If I didn't miss something, the only way of hacking left would be a man-in-the-middle attack. But that one could be done much more efficiently by catching your password at logon. To get rid of that problem, use SSL and check the server certificates. I don't see a better solution. It would be nice if one could use SSL for the login only, but how would you prevent the man-in-the-middle thing?
If you cannot rely on IP-adress checking, there is no good way IMHO. A "less worse" way could be to send a new random token to store as a cookie (even possibly with a new cookie-id) with each and every request. That way at least you can do damage control. As soon as the cookie id and or value is unexpected, throw warnings, and kill the users session. /dario - -------------------------------------------------------------------- Dario Lopez-Kästen Systems Developer Chalmers Univ. of Technology dario@ita.chalmers.se ICQ will yield no hits IT Systems & Services