Quote
Mathias
One idea I've had for improved admin security is to require admin password to be reentered at some occasions, such as when changing forum settings (where title and head tags are altered) and doing other destructive things, like deleting forums and also for changing the password of any account (including the admins). This should reduce the impact of a stolen cookie considerably.
I will look into some of these ideas.
Quote
Mathias
Perhaps session IDs could also be tied to the IP you logged in with, which completely should eliminate the ability to steal session cookies unless you can attack from the same IP I guess.
This has already been implemented and is enabled by default in the "Admin IP Address Session Lock" section of the settings page.