Some security notes:
In order to avoid many of the problems that fall into the authentication and authorisation
groups of the OWASP webapp attack classification list, use the user authentication
subsystems already implemented in your web framework of choice. They are likely to have already
written secure code that covers a lot of the problems related to authentication and sessions and will
likely be far more secure than anything you roll yourself.

If you absolutely, positively, must roll your own auth, or if you wish to assess another one; then you/they must follow these rules.

• Implement a suitably random and unguessable session id for use in the session cookie.
• Do not allow the session id to be forced.
• When permissions or credentials are changed (e.g. the user been upgraded to a higher security, the user has changed their password) then
  immediately invalidate the session and start a fresh one.
• Provide a logout feature, and invalidate the session upon logout.
• Set the cookie to HttpOnly
• Always expire sessions after non-use and do not implement “keep me logged in” by reconnecting the user to their old http session.
• Ensure 2 sessions can’t have the same session id at the same time
• Ensure that all session data is destroyed when a session is invalidated. A new user coming along, may just happen to get assigned a session id that has been used previously. This new session must not have any access to session data that has been set previously against that session id.