Session And Security

Hi everyone, I'd like to explain my idea for basic session handling to you guys. I've thought about it, and I can't see any problem with it, but I'd like other's opinions as well, please. Ok, here goes. So basically, there's two base cases that can happen. User visits any page, session class is initialized, etc. Case 1 - User not logged in; no cookie or session info in DB If the user is not logged in, has no cookie, and/or there is no session info in the DB for this user, any specified activities, protected like so: php: if ( $session->loggedOn() == FALSE ) { ... } the user cannot access them. If the user logs in, the session class will attempt to set a cookie containing a random session_id, which is stored in the database. If a cookie is unavailable, the session_id is still stored in the DB, and the SID is appended to the URL. $session->loggedOn() is set to true, and the user can access previously restricted areas. Case 2 - User is logged in If the user is logged in, the session class first looks for the cookie. If it's found, and the info (session_id, session_key) is valid, $session->loggedOn() remains at true, and the last_visited time in the DB is updated. In the constructor is a removeInactive(), which removes sessions that are inactive after a certain amount of time. There is also updateSession(), which does the checking for a session. On logout, all info is scrubbed, and removeInactive() is also called, closing the session.