Saving Sessions in SSL Encrypted Cookies vs. Client Certificates

Background: From a desktop application, users will navigate to an SSL-encrypted web portal where they will have to enter a username / password开发者_开发百科 if it's their first time logging in. I want to be able to securely persist their user session. I was thinking of using encrypted cookies, storing their username and a unique session token / key, but was wondering what benefits client certificates offered in terms of security.

The way I see understand it currently:

Encrypted cookies:

• Saved on the user's machine just like any other cookie
• Since the entire site is SSL, the contents of the cookie cannot be tampered with
• Easily implementable
• When a user logs in again, invalidate the token / key and issue a new one

Problems:

• Anyone attempting to access the web portal on the computer with a saved session will be able to, but this is a problem with any persisted session, right?
• How do I know that computer A is computer A and not just computer B that copied computer A's cookie?

Client Certificates:

• A pain in the ass to install
• Will uniquely identify that person's computer (or can it be restricted to the user account) to the web portal
• If the client certificate is stolen, then the account is compromised

Question: For persisting user sessions with the utmost security, would encrypted cookies be sufficient or would I need to install client certificates? How do they differ?

2-face-authentication (client certificates) does not mean a persisted sessions. Each time the user visits the page the client certificate is used to authenticate against the site. Depending on the client policies (or AD) the user might enter a PIN to be able to submit the certificate or choose from a list of certificates installed to the certificate store.