You can like to capture IP but in the age of cell phones, changing the IP at any time, as it is not productive looks.
You can still do something like md5(session_id() . $_SERVER[HTTP_USER_AGENT]), and also to record the session. But some write that the browser is updated so often, and the number of the version where he can almost every day to upgrade (and someone really measured?).
You can still limit the number of ω requests for the same session id, query 5 - session_regenerate_id(), but it seems to me that session_regenerate_id a few for other originally planned.
Do we want that today? If stealing cookies from ID shkami sessions?
Or maybe anyone they can get, and so nothing will save?))