You might benefit from a look at the arsDigita Community System security routines. In particular, ad-security.tcl implements a cookie-based mechanism for session IDs, including extensions to handle https. The session ID has several components, including a simple integer session number and a long un-guessable random number. You don't have a valid session unless these match. It also gives each browser an ID number via a cookie, tracks prior log-ins, etc. There is also a set of procedures to handle user IDs and logins. I am basing a site with pretty flexible and robust session-tracking on these modules.
Relevant documentation can be found at: http://openacs.org/doc/security-sessions.html http://openacs.org/doc/user-session-tracking.html http://openacs.org/doc/user-registration.html Other info on OpenACS is at www.openacs.org. Good luck! Dave