add the ip of the pc to the cookie to make it only usable on one pc
save a copy of the cookie in your database and check if it is the same as you gave
always let users re-authenticate if they do something important like changing the password or email
I know it's all just to make the hacking a bit harder, but it's still possible. Sessions are more secure and should be used when possible and always when you need more security.
You should try encryption.
Also, rvec, ip's aren't the best idea.... ip's change.
then let them login again, or use some setting in their config. One ip makes it a lot more secure, because the hacker won't be able to use the same cookie on another pc.
Unless he knows you check the ip, and sends the wrong ip with his headers. So if you encrypt it and use strange keys (not nick, pass and ip but better 7jdK or 1 or other non-explaining keys) it should make it a lot harder.
Well, but I could still view the cookie, and then manually set it again user Firefox's Web Developer Toolbar.
Is there any way to stop that from happening?
if the info is sensitive and you show stuff like full bank account or credit card numbers (and not something like *********132) the I'd really suggest using as much security as you can get.
And if a user keeps his browser open and walks a way it's just as vulnerable with sessions. And if you put the sessionid in the url another user could also copy that sessionid if the user doesn't log out.
I think the best thing would be to use encrypted cookies if you want your users to stay logged in longer, use sessions for every time a user visits the site, don't let the ip of the user change within a session, change the sessionid every time before you change the password or access level of a user and ask the password every time you show or edit important information.
That should cover most security risks.