The Guy was able to login normaly with just the session data from the Server? Did he not need the cookie stored on the client?
Or did you not hash it as it would do it every loading of the page? If so it might be better to have 2 levels of session data, one which can "login" from any ip which is...