So I am writing a small little script for just a few people to use so I figured it would be a good way to test my own authentication system. I want some feedback about it.

All data incmming is escaped using mysqli_real_escape_string(). The passwords each have unique salt generated from some user specific data in the database and hare hashed using SHA1(). I verify the username and password match.

Upon doing this I use SHA1(microtime()) as a session ID and I record this along with the IP into the users table. I give the user a cookie consisting on the username and session id. When the user attempts to access a protected page I load the cookie, escape the values using mysqli_real_escape_string() and verify the ip of the connection and the sessionid in the cookie match whats recorded for the user identified in the cookie.

I also record the curent timestamp in the usertable of the users last action to enforce a timeout limit. If the timeout limit has passed or if I cannot verify the cookie I empty the sessionid from the db. I set the cookie expiration time to time() - 3600 (effectivly deleting it) and I redirect to the login page with an error stating the session expired.

I also enforce a limit of 3 consecutive failed attempts on any username before it is blocked and 3 consecutive failed attempts from any ip before it is blocked.

The script will be accessed over an SSL connection as well.

What are your thoughts. I really look forward to some good suggestions to help make this system more secure in hopes of using it on more visible scripts I am working on here soon.