If you are on your own server, encrypting session variables is pointless, because they don't get out of the server. See Linead answer to What do I need to store in the php session when user logged in? for more info. If you are in a shared server, you may need to encrypt every session variables, besides the session ID, because they are stored on temp files readable by the same web server all your neighbours are using.

Anyway, if you are really worried about security, you are better with your own (virtual or not) server, so danger will only come from outside your server.

Some examples of risk to your sessions:

• Your server sends the session ID in the URL, and your user follows a link to badguys.com They will get in server variables the referer (complete URL, including your session ID), the browser and the IP address of your user. If you are not checking IPs, or your user uses an open proxy, they only have to install same browser version, paste the URL, and they're done.
• User go to a public PC, logins, and leave without closing his session (hey, he's human after all). Next guy in the row opens the browser, check history and finds an open session. Yuck.

So, some measures you can take, by my usual preference:

1. Don't send the session ID in the URL; enable session.use_only_cookies in PHP. Cons: User needs to enable cookies.
   • On dangerous actions (change password, make an order...), ask user for password again. You can do it periodically too. Cons: Annoying.
   • Timeout sessions fast. Cons: In most sites, this will force users to login often, annoying them.
   • Use SSL (only way to avoid 'man in the middle' attacks). Cons: Slow. Stupid browser messages. Need SSL on server.
   • Check the IP. Cons: Inneffective for visitors using a public proxy. Annoying for dynamic IPs.
   • Check the User Agent (browser). Cons: pretty much useless, UA is easy to get and trivial to imitate.

(I take for granted you have yet PHP configured for maximum security).

Some more extreme measures:

• Maintain a permanent connection between server and browser, e.g. using a Java applet. No connection, no session. Cons: User needs Java, ActiveX or whatever you use. Session closes with browser (this can be good). Doesn't work on very slow connections. Higher load on server. You need to open ports, have a special server for the applet.
• The same, but using asynchronous requests (e.g. AJAX) to refresh very frequently the session, and a very short timeout. Or refreshing a hidden IFRAME. Cons: User needs JavaScript. Doesn't work on very slow connections. Higher load on server.
• The same, but reloading the whole page. Cons: User needs JavaScript. An automatic reload while you are reading a page is very annoying.

In some corner cases, you can forget about sessions and use Apache authentication instead. Simplest solution, but a lot of limitations.

Bear in mind that if you do that you're forcing people to login again if they upgrade their browser. This can be OK but just make sure it's your intent.

Using the user's remote address is not without problems either. Many people use the same computer from different locations. Mobile devices, laptops being used at home and work, laptops being used at Wifi hotspots and so on. IMHO it's a bad idea to use IP address in such a way that a new IP address requires a login unless you're dealing with highly sensitive information such as online banking. Is that the case?

What are you concerned about? External attack? Or in a shared host situation that someone can read your session information?

If it's the latter, the solution is simple: just don't store anything sensitive in the session. Anything sensitive should be stored in the database.

In terms of creating a secret salt, you need to use something that isn't guessable. I would go for something like a random string that's created when the user is created. If necessary recreate it each time the session is invalidated.

As for what it would make it more secure, you said it yourself: there are limited user agent strings (less than a hundred will probably cover 99.99% of users). A salt simply increases the number of possibilities. That being said, if you use the same salt for all sessions then it's only a matter of time before it's found with brute force.