It is trade-off between convenience and security. With my approach stolen cookies are not usable from different computer / IP, the attacker needs additional work, he needs the victim computer to do the harm, his computer cannot do any harm. The downside is the user needs another log-in in case of his external IP changes. How often is it? Switch between mobile/WiFi. Otherwise … almost never … maybe 1x per day? I’m not proposing to log-out the user after IP change, I’m proposing to keep multiple sessions (on server) / auth cookies (on client) for each IPv4 or IPv6 prefix (let’s say /56).
Makes sense, how would you represent
floor(1e42
) orceil(1e120)
as integer? It would not fit into 32bit (unsigned) or 31bit (signed) integer. Not even into 64bit integer.