My company implemented this but went one more step. They created a
file that had (IP, ticket) pairs. The ticket was passed around in
URLs, but wasn't valid unless it came from the specific IP. To
pretend to be someone else, one would have to spoof their IP and
guess the value of their (10 hour life-cycle) ticket. We did this,
originally, because we wanted to support web browsers that didn't
cookie-type-options-and-settings). It worked well for us.