11
Currently XOOPS uses the HTTP Header information to check if a user is loged in on a site. It compares the URL in the cookie with the HTTP Header info of the browser, and if they match, you're logged in. Thus, it's not just a security issue, but a key part of XOOPS. This doesn't make it easy to optionalise...
Herko