Hello,

I'm using PHP to create a user authentication cookie. As this cookie based on a number of unique factors (ie, user_id, signup date, etc) it's the only cookie I set and check on each page to ensure that the user is who their browser says they are.

Many months ago I started factoring the user_agent into the cookie. On one site I have had no reported issues. On another site I've had a small minority of people report an inability to stay logged in past the first page. ie, they login, are taken to the home page and as soon as they click on a link they are logged out (due to my security).

I have a few questions:

1 - Is it flawed to rely on user_agent? I know it can be forged, but I figured it was a good extra layer.
2 - Why might it be that a small minority of users are not able to stay logged in if most users are not having any problems? The authentication is not based on IP, so firewall/proxy shouldn't figure in, right? And even if there is no user_agent it'll still be factored in and will most likely not change from one page to another in the same session, right? What could it be?
3 - What other method is suggested? I have done some google searches and searched on here and have found some good tips of securing login code but not much on the actual authentication cookie/session itself. Any advice appreciated.

Thanks kindly