> Again, this is a good step, but is not at all effective against an
> attacker motivated to compromise your site.
You are right. However, it could be an acceptable policy to "improve" overall
security.
> The problem is, while this means something to the developer, it means
> nothing to the average end-user, especially since most large ISP users
> will have ip's that fluctuate form request-to-request.
I agree again. But once again, maybe a strict policy could make a user open a
new session when their IP address change (this policy would not be mandatory of
course)...
This would probably be a pain but could on the other hand give a feeling of
increased security to your visitor and discourage a regular attacker imho
