You're in luck, this chapter is free. Short answer: don't put the IP in the cookie, and use good crypto or a MAC (like MD5). Preferably use some kind of user ID instead of their actual login and password.