Your close to the right track in using the time and IP to tell the clients appart.
But what I did to also tell the clients appart is format a session key with the users name, pass, IP and date expires.
that way if a client has the same IP the clients session ID would have to be formated with the other info and the way I have it coded.
It keeps track of the last time the client has authenticated and if the clienst access a page in less then one second it returns an error "Please Allow 1 seconds wait befor next page".
Hoping it will slow a brute force attack on the session ID.

I think using a hidden form field for the users authentication would be nice.
Only if it stay'ed in a hidden form field. once the session ID is passed through a link then you get into a security issue of the session ID being in the clients Referrer. From there the session ID can be seen by other sites.

Im not the best at session's and am still finding new ways to authenticate the clients.