Checking the browser is a complete and absolute waste of code. There is no point in writing a secuirty system that is trivial for an attacker to bypass. If the attacker obtains the session id via xss or sniffing the line then they will also have your “user-agent”.

Checking the ip address will force the attacker to “ride” on the session with XSS+XHR or XSRF. This is because the hijacked token will not work on his box. Unfortunately this also causes problems for corporate networks which use outgoing load balancing between multiple ip addresses.

HTTPS is a must be used for the entire session. At no point can your token be sent over HTTP. This is clearly layed out in “Broken Authentication and Session Management” in The OWASP Top 10 for 2010, which you absolutely must read if you are writing a session handler.

Session id’s must always time out. If they do not then this is called an immortal session, which is a recognized vulnerability.

Further more i am concerned about the randomness of your token. Make sure your study how to properly generate a cryptographic nonce. Make sure your random number generator is strong and seeded with information that an attacker cannot know.

I also suspect that you haven’t taken XSS and XSRF into consideration. It doesn’t matter how strong you make your session in other areas if you leave a major vulnerability unchecked. Make sure you scan your application using a free xss scanner or the open source wapiti. Keep in mind that no test will accurately detect XSRF and every single request in your application is vulnerable unless you specifically patch it.