Is it possible to use the UBB's ability to track IP's and encrypt that info in the cookie so that a hijacked cookie is worthless? Of course the password would have to be encrypted too. I realize that it would force users to re-login if the IP changes but even if it was a Class C or B it would allow modem users or AOL proxied users to stay logged in and still prevent nearly all cookie hijack problems.
I know that the Infopop guys go to great lengths to filter HTML and prevent exploits but face it, we're only one step ahead of the people that thrive on the enjoyment they get from malicious behavior and tearing down communitys.