I am using the session_id to brand the browser, with the session_secret to prevent attackers from guessing a valid session_id. The reason behind all the anti-spoof stuff is to allow the initial checks on the cookie to be confident that the client database_id is actually correct. This allows the script to try to connect to the client's database directly instead of having to have to refer to a lookup database on each request.
Once the client database has been connected to the session details are validated as well.
--tidiness is the memory loss of environmental mnemonics