[busyrobot]

Well, hijacking a session in progress is not a good thing, if that is what the cookie hash stealing allows. You can do a lot of damage in one session.

If I read that right, it may be best to flag the IP (or maybe limited range) in use when the user first logged in and entered username and pass to generate the hash, and if that hash is attempted from a different IP, force them to log in, which would flag whatever new IP is now in use. If they fail an IP check while the same session is in use on a good IP at the very same time (A, then B, then A, then B, try to use the session), then send a reverse ionic nutreno pulse back through the connection to the attacker and blow out his plasma conduits.

That would allow you to log in from anywhere, on any ISP, and at worse would mean, that the 'stay logged in' feature would cop out now and then if you are connecting again with a dif IP.

Also, if you are worried about staff using same pass for GK as forums, when you set password, you could run a php app to connect to the server list and test the username and pass, if it is same, reject the new password set attempt.



Still, if restricted IP range's were simply setup for mod/supermod accts, that would solve 99% of the threat, though anyone could steal a normal fellow's acct and post 'POOPY HORSE' all over or some dumb thing, as it seems people will spend the time to do.