[eluser]dcunited08[/eluser]
The primary dogma of security is you do not trust the user, therefore you do not trust the remember-me cookie to be on the same system. The dynamics IP issue also happens with NATs as well, say I have user A and B behind a corporate firewall, the would have the same IP address, or they may switch as they hit various proxy servers. A cookie could be moved from A to B and both could work or A may not work anymore because their address was NATed differently. The reason I asked about the hash is that you may want to just encrypt it instead of hashing it so that you can unencrypt it and use it to search with. Or you may include the username in clear text and the hash so that it can not be changed and then used to search with. Comparing the hash to a list of hashed usernames is not really scalable.
Currently, HTTP has almost no way to verify a clients identity beyond the here, hold this and give it back method, cookies. I say almost because there is such a thing as client-side certs. I have used them enough to know they are incredibly annoying and only used in extremely rare situations, read missile launch web application. (Honestly, there are some things web applications are never a good idea for and missile launch is one of those.) I will tell you that I worked on an application that attempted to verify unique machines by looking at the MAC IDs and disk ids, both of which you can not get from a PHP application. The main question is how secure does this site have to be and is it publicly accessible?
