I have been considering the problems arising with user authentication, using sessions/cookies and the security risks that come up with session hijacking. I understand that using a secure https:// is the most effective method, as well as regenerate_session_id() and using a random string for validation (amongst numerous additional procedures).

My question is this: is there a possibility to incorporate a method that forgoes sessions and cookies, and uses just database held variables?

Here is how I would set it up:

-Have a column in the user table that can hold an IP address, and one that would be a Boolean.

-When the user ‘logs in’, set the current IP address of the user into the database, and sets the Boolean value to false (if the user doesn’t want to be ‘remembered’) or true (if they do).

-On page load, it checks the current IP address with the one stored in the user database. If it matches, the user is considered valid.

-On window close, the script would then clear those values and the user would be ‘logged out’.

-If the user wanted to ‘stay logged in’ (which I know is a huge security risk) then a toggle (the Boolean value) would simply deactivate the log out script and the IP address would stay stored for the user.

What would be the fallbacks to such a method? Is it even possible?