My proposed solution only ties the cookie to the IP, so the user will have to login again if their IP changes. But this means that even if an attacker who doesn't know the password gets a cookie, unless they have the same IP they wouldn't get access.

What about people who are behind a proxy cluster, so each separate HTTP request may originate from a different IP address?

Assume nothing.