Not sure I understand what you are doing especially stuff like:
I am sending the hmac, shop name and timestamp with the login request.
I don't see any reason for you to send these. This is something that Shopify sends, so that you can ensure the request came from Shopify.
You need to do the OAuth dance *everytime* you don't have a valid app session. You create an app session on successful completion of the OAuth dance. This is also when you associate the shop with the app session. The shop associated with the app session is the one you always use. There is no way someone can "trick the app to gain access to somone else's shop" because they only have access to the shop used during the OAuth dance.
Maybe your saying the same thing and I haven't understood what you are getting at.