> My understanding is that you CANNOT assume different requests in > the same session from the same computer are coming from the same IP.
Yea, I've heard of that, but it seems to work. phpBB has an option to only check some of the IP, which would probably work even better. Worst case is if I get a bug report from someone saying "I can't log in" and it not just that the user forgot his password... it's a trivially easy change to make.
