Went to learn a little bit about web security after the posts about Firesheep (I know the problem is old but I'm new to web development).
I'm wondering if the idea outlined below would make session stealing a little harder. I'm probably missing something, so would love if you could tell me where I'm wrong.
Server would send a new cookie with each request, suppose it is a sequential number which is the only number accepted by the server for the next request. When the session is stolen, the attacker uses the valid number, incrementing the server counter. The original client then tries to use it, but the counter is now invalid, so he is logged out and has so start all over again. Attacker is also logged out.
Of course this would fail when the client just stops using the website and the attacker continues using it...
However, it gets complicated when you look at the following situation: user authenticates, gets session id of 1234. attacker steals cookie, now has session id 1234. ---- next request comes in, session is regenerated by the server. Next request comes in with session id of 1234 (invalid). Server recognizes this and invalidates all sessions for that user id (1234 and the new one). Have to invalidate all of them, because you don't know which is the valid browser request.
That's all well and good. But it will also log out any other browser that I had logged in. In effect, it will annoy your users and greatly degrade the usefulness of the "remember me" cookie.
Is it worth it for your site? Tough to tell. But it will prevent your users from staying logged in across multiple browsers, which is something to take into account. Probably worth it for protecting my bank account (if they didn't use SSL and many other security measures). Probably not worth it for protecting my Pandora mixes.