Many websites use one or more session identifiers, e.g., cookies, to store cached authentication credentials of users and applications, so that users don't have to authenticate to the website between browsing sessions when moving from web page to web page within the website. Examples of such websites include websites providing secure e-mail services, and websites requiring user-authentication for accessing network applications. Regardless of how secure the session identifier content is, for example, fully encrypted credentials with the key stored on the server (or, a proxy device), or if the application is using a Secure Sockets Layer (SSL) connection to secure the session identifier in transit, it is still possible for a malicious user, eavesdropper, or application to subvert server authentication mechanisms by stealing the full user session identifier. Conventionally, using standard and readily available data, e.g., a source Internet Protocol (IP) address, to prevent theft of the session identifier can be problematic since IP addresses are dynamic for many remote Internet connections, and often many unique client connections can come from the same source IP address (e.g., from organizations that use source-based Network Address Translation (NAT), such as large Internet Service Providers or ISPs). Unfortunately, conventional technologies do not resolve the problem of session identifier theft (e.g., cookie theft).