I created a token mechanism that works like this:
1) The user logins successfully.
2) The authentication service returns a token in the form username;remote_ip;secret_key;creation_timestamp;expiration_timestamp
3) This token is been passed as an HTML attribute in the body tag (I'm not saving it in a cookie).
5) The authentication service checks if the remote_ip is the same as the token's IP if the secret is the same as when created and if the token has not been expired (using the two last information in the token).
Since I'm using SSL, there is no way that someone will steal the token along the way. Only the server and the client who logged in knows that.
So why do I need to sign it?