The solution proposed in the original post looks like regular session management to me, and you could probably implement it without running into any problems. I don't know why you need to log the IP, though.
However, I second davis suggestion that you should go with a prebuilt module. Apache::Session totally rocks, and will let you store not only usernames and passwords, but any Storable object in you session variables. You have the choice of storing data in regular files, DB_File or several different databases, and the best part is that you don't need Apache; it will happily run under most web servers.
Also, you don't have to bother with generating random numbers for session ID's, as Apache::Session will do all this for you.
Cheers,
--Moodster