Great idea, that is better than what I was going to do with mcrypt because it doesn't require mcrypt. The salt should be a random string of 8 characters to be harder to bruteforce.
I thought about last login timestamp as salt too. In this case the attacker has to be very quick to intercept the session before a user sends another requst, e.g.:
[list=1]
at 08:07:23 a victim enters exploited page
at 08:09:12 a victim clicks the exploit link but then idles for 2 minutes
at 08:10:54 an attacker, having copied the cookie exactly, enters the site with victim's account (he-he, if ipcheck is off or he's behind the same NAT or he has spoofed the IP)
But yes, this would be harder to break. And some sort of this thing could be used to improve current CSRF protection (which is not perfect either because a user has the same sed_xp/sed_xg value during the session which can be sniffed).
May the Source be with you!
