User ID, session data and security

[eluser]WanWizard[/eluser]
The payload of the session cookie contains:
- session ID (an MD5 hash)
- client's IP address
- client's Browser User Agent string
- last session ID rotate timestamp

This is an array, which is serialized and then encrypted using the encryption key in your config. The security of this key is the most important thing, it determines how secure your cookie is.

As to the user hash, generate a new one every time the user logs in, and store it in the user record. That way an old cookie can't be used. Side effect is that a user can be logged in only once though.

As for rotation times, you can make it as short as you want. Note that you'll have to think about garbage collection, every rotation means a new session record, you may want to prune your session table more often. Also note that CI's session class is not Ajax proof. If your site uses Ajax calls, you have to disable session id rotation on ajax calls losing the session.