User identification

Authorization in the web application. Ready algorithm?

Hello. I ask for advice.
My task is to develop an algorithm by which any registered user of a web application can have access to a resource at a time from only one device. I threw an algorithm, tell me how to simplify it, or maybe everything is done differently at all.
The algorithm works through cookies, so it was necessary to think over a protection mechanism for the theft (and substitution) of cookies.
The algorithm itself:
Authorization in the web application:

1. The user enters his username and password.
   
2. We check a pair of login passwords and if they match, then we move on, if not, all over again.
   
3. We form the session identifier: sha256(sha256(pass)+IP+User Agent)
   
4. Write the session ID to the database
   
5. We write the user id and the session ID in the cookie
   

Check on page refresh:

1. Get user id and session id from cookie
   
2. We get the hashed password from the database by id (it is stored there in the form sha256 (pass)) and the session ID
   
3. We get the current ip and User Agent of the user
   
4. From the received password hash, ip and User Agenta we get the current session ID
   
5. Compare the current session ID with what we got from the cookie. If the rules go further, if not, go to the authorization page
   
6. Compare the current session ID with what we got from the database. If the norms we get access to the resource, if not, go to the authorization page