How to create a secure session?

I am a newbie in backend development, and would like to know how do your or some popular sites create secure sessions?

What I know so far about sessions is following:

  • Sessions are stored on the server, while cookies are stored on user machine;
  • You can store data in both, and can identify user to session on server by session id;
  • For security reasons (mitm, sniffing, xss, session hijacking), you shouldn't store sensitive data in cookies;
  • To prevent CSRF attacks use hidden csrf token in hidden form, and submit it via JS on each request;

How I implemented these knowledge in my authorization and session:

  1. On login username, user-agent, ip, timestamp are used to create session_id;
  2. username, user-agent, ip, session_id is stored in database;
  3. session_id is stored on user's cookies.
  4. On each request the session_id is requested from user, selected in database and data from database (ip, user-agent) is compared to the one of user.
  5. If everything is ok (same ip, same user-agent) then procceed to do whatever user wants (create a post, comment, view articles).
  6. If cookies don't contain session_id - ask to log in.

I want to implement CSRF attack prevention by using hidden form in pages, which will send session_id as CSRF token.

Did I use everything correctly, is there something I'm missing? Would like to hear your tips and advices.