It would improve security if the session id in ICAT would be bound to the ip address that the login request came from. E.g. on login, the ip address would be registered alongside the user name. For each subsequent request using this session id, the session id would be considered invalid if the ip address of the request does not match the registered one.
This would protect against hijacking the session in the case that the session id has been disclosed to an attacker.
It would improve security if the session id in ICAT would be bound to the ip address that the login request came from. E.g. on login, the ip address would be registered alongside the user name. For each subsequent request using this session id, the session id would be considered invalid if the ip address of the request does not match the registered one.
This would protect against hijacking the session in the case that the session id has been disclosed to an attacker.