Tokens limited to specific IP address

For security, user tokens should be limited to just the IP the user signed in on. Here's an example of where this would be useful.

1. User downloads token grabber by mistake

2. Other user attempts to log in using that token

3. The other user is blocked from logging in because they have a different IP