This report is ridiculous and quite frankly shows that the author does not understand how IPB works. Yes, the author is correct in finding that if you: copy the user's IP address, copy the user's user-agent and copy the user's session ID then they can "hijack" your session. That's because, to all intents and purposes you are the same person. A stateless HTTP application HAS to authenticate against SOMETHING. This report is bogus. Feel free to relabel it "Stateless HTTP authentication potential vulnerability" and remove it from Invision Power Board's category.
