Would it increase security to include the user-agent, or part of the user-agent, in the HMAC secret? So the secret was "abc123Mozilla[etc]", that would then presumably require identical browsers to work, at the expense of logging everyone out every time their browser updates. Or include all, or part of the IP address to restrict the network.
Using the IP address to restrict it would work, since now the attacker would need to have the same IP address to get a session that will stick, but this may cause users to be logged out when their ISP changes their IP, or when they move from home to a coffee shop for instance.
