Django's contrib.auth.login() function will only issue a new session ID if the user logging in is different than the previous user associated with that session. Anonymous users that login or a user that re-authenticates retains their existing session ID.
The session ID should be a long string of cryptographically strong random characters. It is theoretically possible to encrypt information and put it inside a cookie, but it is very difficult to secure. It is far more secure to use the standard server-side session mechanism for this purpose. In J2EE theHttpSession object provides you this functionality for free. All you need to do is learn its API and use it. HttpServletRequest.getSession() returns this object.
Authentication should only be done using EID authentication. For session cookies other than the Secure Cookie, regenerate and update the session cookie upon EID login.c
The session ID should be a long string of cryptographically strong random characters. It is theoretically possible to encrypt information and put it inside a cookie, but it is very difficult to secure. It is far more secure to use the standard server-side session mechanism for this purpose.
<?php // start up your PHP session! session_start(); ?>
For more information, please see the PHP Manual: session_start()