Authorization in the web application. Ready algorithm?

Hi all. Please advice.
I have task to develop an algorithm by which any registered user of the web application can access the resource at the same time with only one device. Distribute the algorithm, tell me how to simplify or maybe all do not do so.

The algorithm works using cookies in this it was necessary to consider the mechanism of protection about theft (and turning) cookies.

The algorithm:
Authorization in a web application:
  1. A user enters their username and password.
  2. Check a couple of login and password and if match then go ahead, if not over.
  3. The generated session ID is: sha256(sha256(pass)+IP+User Agent)
  4. Written to the database the session ID
  5. Cookies written to the user id and session ID

Check when the page is refreshed:
  1. Take out of cook the user id and session ID
  2. Get the id from the database hashed password (it is stored there in the form of sha256(pass)) and session ID
  3. Get current ip and User Agent user
  4. From the resulting password hash, ip, and User Agenta get current session ID
  5. Compare the current session ID with what you get from cookies. If norms go further, if not to the login page
  6. Compare the current session ID with what you get from the database. If rules get access to the resource, if not go to the login page
April 3rd 20 at 18:23
1 answer
April 3rd 20 at 18:25
a lot of text

in cook, sew up the device ID

only the cook comes in with a different ID - radlogin for the first cookie

well, on the server Troisi matrix sigurnosti there and stuff (if needed of course)

the mechanism of protection about theft
called httpS

all other MITM intercept
https also described and intercept, so - see about the matrix, if need mahasamiti
I meant the mechanism of protection against theft (and replacement) cookies. Https will not help. - camill commented on April 3rd 20 at 18:28

Find more questions by tags User identification