Until now i was planning the blog authorization (which would by the way be used only for the admin area, as no user registration will be left) to be something like the user (that is, myself, considering probably no one else would use the admin area) logs in, i give the user a cookie, everyone’s happy. Usual, isn’t it?
The thing is the content of the cookie. I was thinking that just hashing the login creditentials (that is, what’s stored in the database, eg the email address and the hash of the password) would suffice for authentication, but today a plurk about wireshark made me realize it wouldn’t. So the new method is to hash the ip address of the user in the cookie as well. This way, unless the attacker can somehow get behind the same ip as the original login, even if they had the contents of the cookie, they couldn’t impersonate the logged in user.
Or could they?