Location-based access to controlled access resources

What is claimed is: 1. A method comprising: receiving, via a first network connection, a request for a controlled access resource from a client device, the request including a client device identifier but excluding login credentials; determining that the request is not associated with a recognized location; and in response to determining that the request is not associated with a recognized location: identifying state data for the client device identifier, generating a link for accessing the controlled access resource at a server, generating an encrypted token, the encrypted token including a token timestamp, a random number, and licensed resource information from the state data, wherein the licensed resource information identifies controlled resources available to the client device via the recognized location, including the encrypted token in the link, and providing, via the first network connection, the link to the client device, the link configured to be used by the client device to request the controlled access resource. 2. The method of claim 1 , wherein the request is a first request and the controlled access resource is a first controlled access resource and prior to receiving the first request the method further comprises: receiving a second request for a second controlled access resource from the client device, the second request including the client device identifier; determining that the second request is associated with a recognized location; and in response to determining that the second request is associated with a recognized location: generating the state data for the client device, and storing the state data in a memory. 3. The method of claim 1 , wherein the state data includes a state-data timestamp, the client device identifier, and the licensed resource information. 4. The method of claim 1 , wherein the licensed resource information represents a geo location. 5. The method of claim 1 , wherein the recognized location is a domain name. 6. The method of claim 1 , wherein the recognized location is an Internet Protocol (IP) address. 7. The method of claim 1 , wherein the request is a query and the controlled access resource is a resource responsive to the query. 8. The method of claim 1 , wherein the client device identifier is a user account. 9. The method of claim 1 , further comprising the client device using the link to request the controlled access resource, wherein using the link comprises sending the link in a request to a controlled resource server. 10. The method of claim 9 , at the controlled resource server: receiving the link in a request for the controlled access resource; identifying the encrypted token in the link; decrypting the encrypted token; verifying the decrypted token by determining that the decrypted token has not expired based on the token timestamp and determining that the controlled access resource is available based on the licensed resource information; and providing the controlled access resource to the client device responsive to the decrypted token being verified. 11. The method of claim 10 , wherein verifying the decrypted token further comprises determining that an IP subnet contained within the decrypted token matches an IP subnet of an IP address from which the request was received. 12. A system comprising: at least one processor; a datastore storing state data records for client devices; and memory storing instructions that, when executed by the at least one processor, cause the system to perform operations including: receiving a query from a client device, the client device having a device identifier, determining that at least one resource responsive to the query is a controlled access resource, in response to determining that the query is associated with a recognized location for the controlled access resource: generating a link to the controlled access resource, and generating a state data record for the client device in the datastore, the state data record including the client device identifier, a state data timestamp, and licensed resource information for the recognized location, in response to determining that the query is not associated with a recognized location: identifying an unexpired state data record in the datastore for the client device identifier, in response to identifying the unexpired state data record, generating a link to the controlled access resource that includes a token, the token including a random number, a token timestamp, and licensed resource information, the licensed resource information being obtained from the unexpired state data record, and in response to failing to identify an unexpired state data record in the datastore for the client device identifier, generating the link without the token, and returning a search result for the query to the client device, the search result including the link to the resource, wherein the client device uses the link to request the at least one resource from a controlled access server, the controlled access server configured to provide access to resources from requests associated with recognized locations. 13. The system of claim 12 , wherein in providing access to resources from requests associated with recognized locations the controlled access server is configured to: receive a link to a controlled access resource from a particular client device, the link having an associated location; determine whether the associated location is a recognized location; in response to determining that the associated location is a recognized location, provide the controlled access resource; and in response to determining that the associated location is not a recognized location: in response to determining that the link includes an unexpired token; provide the controlled access resource, and in response to determining that the link lacks a token or that a token included in the link has expired, denying access to the controlled access resource. 14. The system of claim 13 , wherein the token further includes an IP subnet of an IP address and the controlled access server is further configured to, in response to determining that the associated location is not a recognized location and the link includes an unexpired token: determine whether an IP subnet of the particular client device matches the IP subnet in the token; and in response to determining that the IP subnet does not match, deny access to the controlled access resource. 15. The system of claim 12 , wherein the recognized location represents a geolocation. 16. The system of claim 12 , wherein the recognized location is an IP address. 17. The system of claim 12 , wherein the token is encrypted before inclusion into the link. 18. A method comprising: receiving, via a first network connection, a request for a controlled access resource from a client device, the request having a location but excluding login credentials; determining that the location is not a recognized location; in response to determining that the location is not a recognized location and that the request received via the first network connection includes a token, the token including a token timestamp, a random number, and licensed resource information: determining that the token is not expired based on the token timestamp, determining that a resource accessible using the licensed resource information matches the requested controlled access resource, and providing, via the first network connection, the controlled access resource to the client device; and in resp