Almost, but not quite (IMO). You dont need to send the username to the browser, and think about adding an expiry date to your session database.
So:
- The user logs in
- You create a sess_id and send it to the browser (via a cookie or "param")
- You record the sess_id in the database along side a user_id
- Foreach pageview you retrieve the cookie from the browser and compare it to the one in your database
- You compare the "sysdate" with the date in you set in the session database(expy_date); if sysdate is > expy_date, send the login page to the browser.
- optionally on each pageview you can:
- Extend the session by n so the session is more dynamic and stay current as long as the user is actively using your application
- re-issue another sess_id - making your application a touch more secure.