In the current issue of Web Techniques, merlyn has a good article on using cookies to manage login sessions. His approach is to "brand" the browser with a unique ID, and then manage login/logout + session state on the server side, using the branding as a lookup key into a disk cache of info. This approach avoids all of the problems related to trying to use the browser's reported IP address.