Quote Originally Posted by Issac View Post
Yep, this is dead on and by far the easiest. Make the SID valid only for the IP it was granted to. Anything else is just plain retarded. Encrypt it as well for good measure.

Basic security 101. ><
I'd rather see them invalidate the Session ID after a successful logout. They would burn through more sessions but since IPs can be spoofed and the hack would be originating from the machine where the virus is, thus the IP can be logged, it would be a more secure option.