Thanks for the replies. I didn't build the systems but they have been designed for online usage so the company can take an iPad to a meeting with a client and access all info there. I found a ridiculous level of security, passwords weren't even encrypted and file uploads were online, so navigating to them would give you access.
So far I've encrypted passwords and made all files upload outside the htdocs directory and a force download for them if the user is logged in. Then I added brute force to block an ip for 30 mins after 3 failed attempts. VPN is required to use FTP or MySQL (or root access to server). Still plenty to do before I let it go live I think.
I think the white/blacklist is a good idea and alarm system, probably built into the brute force system. I would personally prefer it to be hosted on their local servers and accessed via remote access when out and about. Oh and SSL is a big yes. No skimping there.
I think forcing a password change every 30 days is a requirement too.
In terms of the user being logged in, I remember years ago there was a way of "stealing" a user's session using a gif file? I think I got round it with
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
It was many years ago so I'm not sure how good this would be now.
A few things to get though yet.