Ok, so there are methods that can be used to make the data more secure (altho' using an IP address is not a great idea).

My point is control. Once you send the data out to the browser you lose control.

If you have a public web server, most of your server side security should already be done. Why create more processes and procedures if you dont need to? The more processes and procedures you add, the greater the chance something could be missed.

There is a reason why most web apps use a non determinate token and associated session management - it works and it simple to do.