I'm leery of using $ENV{'REMOTE_ADDR'}.$ENV{'REMOTE_PORT'} in the session id cookie. How will that interact with several connections through one nat box? The seven try lockout is probably good enough to alert you to a salt guessing effort, but the content of the cookie is spoofable, guessable, and tainted.

With SSH a given, why not use the server's built-in authentication and session tracking?

After Compline,
Zaxo