Using the IP address to restrict it would work, since now the attacker would need to have the same IP address to get a session that will stick, but this may cause users to be logged out when their ISP changes their IP, or when they move from home to a coffee shop for instance.