That's quite a lot to review but what I could spot.
- http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html
Frankly, following a widespread superstition in pursue a better security, you are getting the opposite result, giving a hacker perfect means to spoof the IP address and thus hijack the session. - For some reason you have $user as a class property but many functions accept user as a parameter. Choose one?
- To my taste, there are about ten times more methods in this class than should be. I would either drop out most of one-line methods, or, if you indeed want to be more catholic than the Pope, decouple this class to a series of service classes, all the cookie stuff for example.
- I've no idea what Authentication is but where() method looks alien to it. I would expect such a method in a Query Builder class but authentication is not a query builder. Judging from the usage, Authentication should provide methods that you made parts of this class, keeping all where() calls internal.
