Hi. I'm working on an RIA in PHP. To try to prevent session hijacking I introduced a token, generated at login, based off a salt, ISO-8601 week number and the user's IP.
$salt = "blahblahblah";
$tokenstr = date('W') . $salt . $_SERVER['REMOTE_ADDR'];
$token_md5 = md5($tokenstr);
define("token_md5", $token_md5);
Currently, it's passed by GET or POST with every request, but I was wondering if I could avoid this by offering it as a cookie, since it is dependent on the user's IP. I'm just now learning sessions, so I was wondering if there are any security concerns with doing that? Is it a bad idea?