I issue session keys to my users with a symmetrical encryption algorithm rather than a one-way hash. I concatenate the user's username, ip address, a timestamp, a lifetime, and a random number together, then encrypt them with Crypt::CBC and send them out in the form of a cookie. The server validates the cookie by decrypting it, verifying the connecting client's ip address, and ensuring that the timestamp + lifetime is greater than the current time.

Storing the ip address + timestamp/lifetime in the cookie mitigates the risk of replay attacks (i.e. someone else attempting to access the site with an identical cookie). Storing the random number makes a known plaintext attack on the encryption key much more difficult.

-Matt