CodeIgniter auth security model

Everything you mentioned is good. I'm not familiar with phpass however. Make sure that when you hash the passwords, that you are using a salt.

An if_logged_in = true check is sufficient because session data is stored server-side. The reason for checking things such as user-agent is to help protect against session hijacking, where one person obtains another person's session ID.

P.S: I am no security expert so I prefer using system that are inspected by security-experts: openid, facebook connect, twitter(oauth), google signin, etc

But here is my Checklist(I can think off):

• use SSL to make sure nobody can read your password when sent over the wire.
• you should sanitize all your input($_POST, $_GET, $_SERVER, etc). If is not a local variable you should be careful. So for example you should sanitize $_SESSION['is_logged_in'] using this filter => $var = filter_var($_SESSION['is_logged_in'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); AGAIN You should do that for all input coming from the server, because they aren't safe. The best approach is to use whitelist instead of blacklist. Because there is a chance you will miss something.
• Use PDO to minimize risk of sql-injection.
• Don't store your passwords in your database in plain text, but hash them. Still risky business I guess. Because recently gawker/lifehacker has been comprimised(wondering how it could happen?). I guess your phpass is pretty solid because owasp also recommends it.
• Be aware off for XSS attacks. Is already done because of sanitizing input
• Take measures against CSRF. This can also be very dangerous if for example you can modify e-mail adress when user is logged in. Next step is to sent an e-mail to reset your password and your system is comprimised.

I am not familiar with phpass but check to see if it uses MD5 because if it does then it's not good enough. Use bycrypt http://www.memonic.com/user/pneff/id/1qHCT