This is pretty cool, though it should be remembered that if a number of users are all behind a NAT/firewall, they will all have the same source IP, and this method cannot protect against that case. However, it is an excellent way to protect against outsiders (either friendly or malicious) who wind up with the encrypted cookie.