Yep, I saw your more general list further upthread as well. I'd argue that much of the time these things are bad and essentially a kind of unnecessary, self-inflicted cryptography. In most cases the same things can be accomplished with a secure authenticated channel, someone hanging on to the relevant state and a cryptographically secure random id. A prime example is all the 'state-carrying authenticated/encrypted session cookie' infrastructure typically built into ruby and python web frameworks.