here is an idea - durring account creation - take the unix time of the new account - store it and a MD5 version of the unix time into the regiser database. create a cookie on the client with the MD5 key. Now - there is now way that the hacker can hack this because he dont know the exact unix time of creation.

upon future logins - query the MD5 from the cookie and unix time from database and see if match - if not - hacking has happened. Ill have to think on this one more....sounds fool proof.