[eluser]MadZad[/eluser]
ecko,
Ditto what beyondCiv said, with a few extra thoughts from my experiences.
If your controller has multiple actions, consider putting the login check in the constructor when it makes sense. Best of all, if you're doing unit tests, be sure to hit every action without being logged in.
In some cases, I've found it useful for the login check to return true/false - just in case the controller needs to do something more than redirecting to the login page. I typically find the "login check" evolves into multiple methods over time (access levels, custom messages on login screen, that kind of stuff)
When the situation makes it feasible, I put session information into the DB. I just embrace db hits as a cost of putting up a page, mostly because I don't want anything other than an encrypted key in the cookie. One size, of course, does not fit all.
Lastly, all the standard good security precautions. Keep db credentials out of the webroot, CI also makes it easy to keep all php code (other than index.php and config) out of the webroot, make sure any controller helper methods start with an underscore.