B4J Question AJAX/CORS Cookie Replacement

You can generate a random id and send it as a GET parameter in all requests. In the server side store the session information in a global (concurrent) map with the id as the key.

From time to time you will need to go over the map and remove old items.

Hi Erel - yeah, that's what I'm doing.
Google throws up a gazillion articles & discussions on this subject (cross network/origin forgery) and you can go snow blind reading all the differing opinions on SO - I suppose I'm really asking has anyone here found a neat way they would recommend to verify the token being sent is actually coming from the legitimate user. Does anyone have a proven best way of "fingerprinting" the user as well as anyone can within B4J?

I could reject if the IP changes (though there are many legit reasons why this might happen to the legitimate user).
I could store header data with the UUID and check each request, but headers can be forged.

Is it even worth trying, given that the browser must be considered hostile? Everything will be SSL of course, reducing the MiM risk, but should I even worry about another browser mimicking the legit user? If the scammer is able to get the token directly from the machine and mimmick its headers, surely all is lost anyway?

Note this is all from the context that I am using B4J as an API server on its own hardware. It will only return data, not web pages.

Big question