Usually, upon successful authorization, I remember only the user id in the session. If the login in your case is unique, then you can use it. The bottom line is that if necessary, you can pull out the rest of the user's data in this field at any time.

From all of the above, I see the best option to store in the session a serialized ( json_encode , serialize ) array from the ID (or login, provided it is unique) of the user and the password hash. When changing the password, all old sessions disappear.
I strongly do not recommend using IP and User Agent checks.
When checking by IP, users on dynamic IPs disappear (these are the same mobile operators).
When checking the User Agent - the session will crash every time the browser is updated (because the User Agent also changes in this case). And all modern browsers are updated very often and automatically.
Another option (more paranoid)- you can generate a random hash sha256 (or sha1, md5, whatever), enter this hash into the database next to the user ID. Then write two cookies to the user - with id and with this hash. When visiting, check these two parameters.