I suspect anyone suggesting that an IP be part of the session security has never actually tried it on a large scale.