Index: src/login.c
==================================================================
--- src/login.c
+++ src/login.c
@@ -261,14 +261,22 @@
   const char *zCookieName = login_cookie_name();
   const char *zExpire = db_get("cookie-expire","8766");
   int expires = atoi(zExpire)*3600;
   char *zHash;
   char *zCookie;
-  char const * zIpAddr = PD("REMOTE_ADDR","nil");   /* Complete IP address for logging */
-  char * zRemoteAddr = ipPrefix(zIpAddr);     /* Abbreviated IP address */
+  char const *zIpAddr = PD("REMOTE_ADDR","nil"); /* IP address of user */
+  char *zRemoteAddr = ipPrefix(zIpAddr);         /* Abbreviated IP address */
+
   assert((zUsername && *zUsername) && (uid > 0) && "Invalid user data.");
-  zHash = db_text(0, "SELECT hex(randomblob(25))");
+  zHash = db_text(0,
+      "SELECT cookie FROM user"
+      " WHERE uid=%d"
+      "   AND ipaddr=%Q"
+      "   AND cexpire>julianday('now')"
+      "   AND length(cookie)>30",
+      uid, zRemoteAddr);
+  if( zHash==0 ) zHash = db_text(0, "SELECT hex(randomblob(25))");
   zCookie = login_gen_user_cookie_value(zUsername, zHash);
   cgi_set_cookie(zCookieName, zCookie, login_cookie_path(), expires);
   record_login_attempt(zUsername, zIpAddr, 1);
   db_multi_exec(
                 "UPDATE user SET cookie=%Q, ipaddr=%Q, "