I have a PHP application with customized session system. I am using cookies to check whether the the user is logged in on a given machine, but i am concerned about the security of that method.
For this, I have used some random key (in cookie and in db) to authenticate the cookie; whether that cookie actually belongs to that user id. (by matching them)
My sessions also check the IP address for any changes since the last sessions entry (in db)
I have used httponly to prevent XSS attacks too (so that way my cookies are not stolen someway)...
But my concerns is in the case someone actually gains access to some user's computer, and manually copies the cookies (or regardless how they acquired them), then use them on his machine which runs on the same public IP address (or simply spoofed IP)... How can we prevent the cookie from being recognized on the other computer? or more simpler, what measure to take in order to the application to reject this cookie?
There's not a lot you can do about the cookie being stolen, it is very unlikely to happen.
I suggest you regenerate the session id whenever the security level changes and time out old sessions. Don't accept any session ID info through GET/POST.
Don't use the IP because you will cause problems for users where their IP changes across page requests, a good example of this are some AOL customers.