[Static]

Nothing serious or urgent, but it is a possible improvement. Currently, the cookie value is a static(?) key that is assigned during installation. It is pretty much generated by the mt_rand() function, and is safely stored in the db. I might be wrong, but I don't think that the value changes. Changing it once in a while would be more secure. Also, the comments here: http://www.php.net/manual/en/function.mt-rand.php
have some things like

It should also be noted that 'mt_rand' function is NOT cryptographically secure. This means, among other things, that you cannot depend on it to generate data that is expected to be unpredictable, i.e. truly random. Depending on circumstances, a third person using 'mt_rand' will be able to generate the exact random number (or series of them) you have, which may break your security system.

Though the current usage is pretty secure, since no-one will be seeing the security key, or the db value; perhaps changing the value once in a while might be a good idea, along with an extra layer of encryption/longer value.