Change cookie when it has been used

[malx122]

It is common practice that a "signin" cookie should only work once, then it should be replaced with another one. Otherwise someone can steal your cookie and use it to spam multiple sessions parallel with yours without no chance for you to notice.

If it is replaced everytime is used, someone could still steal the latest one. But they will need to use it fast and when they have used it, your will not longer work so there is at least a chance it can be noticed. It also make brute-force attacks harder.