One idea I've had for improved admin security is to require admin password to be reentered at some occasions, such as when changing forum settings (where title and head tags are altered) and doing other destructive things, like deleting forums and also for changing the password of any account (including the admins). This should reduce the impact of a stolen cookie considerably.
Perhaps session IDs could also be tied to the IP you logged in with, which completely should eliminate the ability to steal session cookies unless you can attack from the same IP I guess.
Tossing them out there. :)
Perhaps session IDs could also be tied to the IP you logged in with, which completely should eliminate the ability to steal session cookies unless you can attack from the same IP I guess.
Tossing them out there. :)