Thank you.

I do use a few methods, there's an alternate session ID stored in the users table which it authenticates against, and I also attach a hash of the members user agent so if for some reason the user agent string changes halfway through the session it logs them out to help prevent against hijacking. Any suggestions for a fourth line of defense?