just save the ip in the $SESSION array field and check on each page, if it doesn't match - log out (session_destroy).
If the server is Apache, use the .htaccess php_value auto_prepend_file option for this.

I think it's not good to just bind by IP without cookies, especially since the IP is dynamic - and as an additional check - why not - both the cookie and the IP must match.
Dynamic IP is issued for quite a long time. But the next time the user turns on the computer, he may be given a different IP, and then, for example, the "remember me on this site" checkbox will not work - the cookie will match, but the IP will not.

I will add:
If you do it for yourself, then binding IP to the session will still work.
If you are doing it for public use, then such a binding is a very rash step, since problems will begin with people who work through proxies (and there are a lot of them now).