Excellent++. Stacking it such that signing in doesn’t drop it would also be a good idea. Or IP + User Agent string + time limit HMAC or something would’t need a cookie/session at all and make it such that a “replay” attack wouldn’t work in … 10 minutes (based on post time) or so. More secure than the login under HTTP. :P