- md5 is insecure. It has a high percentage of conflict. Use hash with sha256 at minimum instead.
- Look into writing a CIDR calculator for this. CIDR will let you handle ranges and subnets for ip addresses and respond accordingly.
As for cookies and sessions, sessions are fine for security so long as the sessionid isn't compromised. Cookies are useless for anything more than basic preference settings.