Make IP locking of session tokens optional

Having the session token locked to an IP is a major pain when you're using a laptop and/or a VPN, because you can legitimately change IP addresses any time you sleep the laptop, which end up logging you out. I think it's still worth having this as an option, but it should not be on by default.