I think the article is quite nice, however these are just the basic concepts and if somebody seriously tries to make a serious security aware application, things like this will be addressed. In other words, the level of the article is quite low.

Issues like a man-in-the-middle attack are not addressed here (although i can imagine that something like this is usually outside the scope of the application layer). Another possible vulnerability can be random number generation. So depending on the implementation of session key generation, the entropy of the session keys could be much lower as the maximum possible entropy which may or may not make brute force attacks feasible.

So it really depends on the security requirements you have how the solution will be, there is no single security solution that works in all cases. To apply the latter, imagine that you’ve got a valid session id and you know to which ip the session is bound. Also assume that the target in this example is a bank. Now i can perform a request to transfer money to my account, and make this work by spoofing my ip-address and providing the stolen session. Ok, the reply of my request will never arrive since the IP address is spoofed, but who cares, I got the money since the server accepted my request.

The point is that depending on the context, your security requirements and thus your security solution(s) may greatly vary.