People are performing an increasing number and variety of tasks electronically. Many of these tasks involve sending requests to resources available across a network, such as the Internet. In order to ensure that a request is submitted by a user authorized to access a resource, or specific actions or data available through those resources, the user submitting the request often has to be authenticated to a system providing the resource. In many cases, this involves a user providing some type of credential, such as a username and password pair. In order to prevent the user from repeatedly having to enter these credentials, and the system or service from repeatedly having to validate these credentials, a token can be created for the user that can be provided with subsequent requests on a user session. When the system receives a request with a valid token for a particular user, the system can proceed to process the request. A potential downside to such an approach, however, is that any third party obtaining a copy of the token can also submit requests that appear to be valid requests from the user based on the token being included.