On each page's execution match session.addr against cgi.remote_addr, if they are the same, page continues executing, if not, page halts, flashes to another page and the session is cleared.
<CFIF cgi.remote_addr is not sAddr><CFLOCATION url="sessionerror.cfm"></CFIF>
The flaw is that cgi.variables are not always detectable.. so another method would be to assign a random number or some identifier (even just the username) to a cookie, do not store the password in the cookie since you won't need it for this step of authentication.. You can pretty much assume anyone using a user's computer knows that person's username so you're not hurting security by storing the username in a cookie...
The next step is pretty much the same as before.. On each page match the cookie to the session variable...
<CFIF cookie.username is not session.username><CFLOCATION url="sessionerror.cfm"></CFIF>
As for browsers that don't display cookies.. They are so old or just so rare that they're virtually unheard of.. A novice wouldn't know where to get one and wouldn't have been on the internet long enough to still have one and someone who knows about them wouldn't really want one.. As I said, little to no risk.