Hacker News new | past | comments | ask | show | jobs | submit login

Does signing the cookie with secondary information such IP or UA help? I know they can both be spoofed, but it's an extra layer...

Signing the cookie with IP would break the site for everyone with changing IPs, e.g. mobile users on cellular networks. Web site sessions should persist across IPs.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact