At Esri's recommendation we are using IP-locked long-lived tokens to secure our web services.
However, when clients change IP or when certain proxy servers are used, the token becomes invalid. This forces our customers to log in a second time - and sometimes more. This is a less than pleasing user experience.
We are looking for alternatives, and part of that trolling this forum for other users that have experienced this.
Are short-lived tokens the preferred, and if so, how have you renewed the token?
Is using the http referrer an option?
What about OAuth2? I'm not familiar enough with it, but Esri seems to think it's pretty awesome.