You could always opt to restrict the session to a specific IP. Wouldn't stop attackers sharing the same proxy as the target, and would cause problems for users using load-balancing proxies, but it could always be an option when logging in... //F