We want to secure our service with additional methods of detecting a stolen HTTP session via IP/geolocation.<p>Are there any resources to find best practices for implementing such a system?
Detecting the location of the client by IP is not going to be very reliable, it's a false sense of security at best. You want to make it impossible to hijack, not detect it when it's too late!<p>Even tieing a session to a single source IP is not great (think stealing sessions in a coffee shop behind NAT).<p>Use HTTPS.<p>Sign requests with a MAC (message authentication code).<p>Make sure your tokens expire fairly quickly and you have a method to refresh them.