I would believe that this is a problem that Lotus hasn't been aware of/ignored because it hasn't been discussed (until now). As you say, it should't be hard to remedy.
A simple rewrite of the session key generator to include the IP of the client in the mix should be enough. I'd think all keys are temporarily stored in a registry of some sort. When a cookie is checked, validate it against the IP of the remote host.
The only open backdoor is that people behind the same router (one ip on the internet) can hack each other, but that is a small problem compared to that the entire Internet can use your session.
I would believe that this is a problem that Lotus hasn't been aware of/ignored because it hasn't been discussed (until now). As you say, it should't be hard to remedy.
A simple rewrite of the session key generator to include the IP of the client in the mix should be enough. I'd think all keys are temporarily stored in a registry of some sort. When a cookie is checked, validate it against the IP of the remote host.
The only open backdoor is that people behind the same router (one ip on the internet) can hack each other, but that is a small problem compared to that the entire Internet can use your session.