For example, if I sign on to a bank website, and the bank gave me a cookie as an auth token.
Now instead of logging off, I simply close the web browser tab.
So now, if a hacker can somehow get my auth token, can he or she then fake that it is me by also faking the IP?
(I suppose the bank will restrict access to the IP I used with that auth token... but then isn't it true that even if the hacker cannot fake an IP address, he or she might be able to emit requests from my Mac or PC and therefore really emit the requests from my IP?)