Brain Dead Security Design

I always have a terminal open to this server, and when it's not in use it's set to tail -f /var/log/apache/access.log.  (For the non-*nix people:  that means that it's watching the server access logs, and printing out each new line that gets added to it.)  There's a point to this, and how it relates to the title, but I 3figured I should get the basic background info out of the way.

Anyways, as mentioned, the terminal spits out the server log when not in use.  Every now and then I glance at it, or more importantly, I glance at the refer field.  The weekly analog reports tell me what the most popular refers have been overall, but they fail to tell me where people are currently coming to the site from.  (Odd tidbit, re analog: the MSN robot is the second most common user agent reported.  It makes sense, as I see it crawling the site at least once a day.  However, there has never been a single referal to any page or file on this site via the MSN search engine.)

Getting back on track:  I occassionally glance at the referer field.  If I see a site I don't recognise, I'll copy the entry and visit it so as to satisfy my curiousity.  The most common unrecognised referals come from forums.  Certain pictures (especially, for some odd reason, the battery one) seem to be popular candidates for being posted in forums; so generally that's what I end up seeing when I paste in the URL.  Anyways, as of late the Hollow Chocolate Bunnies scan has been showing up in my logs quite a bit.  Seems some forum has posted it on a page, and I keep getting hits from it.  So I did what I normally did: I pasted in the URL, and took a look to see where it was being posted.  Thing is, once the page loaded, I noticed something:  "You are logged in as username", where username was an actual username.  "Hrmmm… That's odd," I thought, so I scrolled up an pasted every single URL from that site that I could find.  End result: 10 URLs, 4 of which logged me in as someone. (With full access to their accounts.  Only thing it didn't look like I could change was the password, as it required the old one.)

Now, this was, to put it mildly, odd.  I followed a URL, which could be in thousands of server logs, and got into someone's forum account.  (Note:  At no point did I mess with anyone's account.  I was curious as to why this was happening, but not malignant.)  However, a quick glance at the user preference pages showed me what was the cause of this, and also one of the most brain-dead security designs I've ever seen.

From the looks of it, the site stores two bits of login information: one is a cookie, containing the login info, and the other is a "login certificate" which is contained in the URL itself.  Normally a login certificate is assigned to only one IP (which makes sense), but the user can also turn off that option.  Now, the question I have is this: why do they even need a login certificate if they're using cookies?  (Also: why should a cookie-based authentication system care about the IP address?)  Correct me if I'm wrong, but I thought the point of a cookie was to preserve state across sessions, meaning that the user's IP address might change.  Why should the cookie be tied to an IP?  Especially if the cookie itself doesn't appear to be all that useful (since I managed to login as someone else without any cookies being sent or accepted from that site).  Or, more simply:  seriously, wtf?