We should validate the $_SERVER["REMOTE_ADDRESS"] with the stored IP in adm_sessions on every page load. If that IP changed than the session isn't valid and should be deleted. A message to the user should be shown.
See forum http://forum.admidio.org/viewtopic.php?p=13776#p13776
not very useful because some servers change the ip at every page load, see forum thread for details.