also... logins

Remember to store a copy of your session ID in the user database (preferably a separate database that can match a key to the user database), that way you can prevent session hijacks by each time the browser loads, use the session start variable to see if the ID on the server/database matches the user cookie. If they don't match, force a second login.