MisterMashable

Does anyone here have some suggestions, books or articles, about authentication best practices for http(s) explained in a framework/language independent sort of way? What is your favourite resource on this topic? (barrage of Qs, sorry but I hope to learn something and can think of no better group to ask.) Is using secure cookies only for session validation/authentication really acceptable (effective)? How can one protect users at coffee shops and other public places where everyone shares an IP address? Would detecting the users machine, OS etc. from the http headers and hashing that as part of the secure cookie be a good idea so a cookie thief would need the same hardware/software as the victim? I haven't (yet) driven around to various public internet access points to check how their servers are configured, whether or not information about a users system is included in their request headers. Does anyone know how frequently this is done on a public server with a shared IP address?