sessions is the way to go for that... you could always encrypt/decrypt them for added security, but sessions are on the server end, so not "too" necessary...

don't use headers, headers can be fooled/read/manipulated/etc...

Thanks for the help!

i much agree with stolzyboy. encryption - at least for the password - is something you should consider by any means. my preferred way is md5(), as it is built into php as well as mysql and is a rather strong one-way-encryption scheme.
there are ways to read session variables and get information thats not supposed to be read off site, with the appropriate means.

Storing sensitive data in session variables is ok - if anyone can read them, they can do far worse things.

Enabling session.use_only_cookies is recommended to make session hijack / fixation attacks harder.

Mark

There is less benefit from encrypting/decrypting data automatically: like MarkR said, if anyone can read the session variables they can do worse things - like get hold of and use the decryption routines. One-way hashing (as sid mentions) still has benefit, but of course you can't retrieve the hashed data either.

Noted on the [man]session[/man] page is a warning that if you're using file-based sessions, and storing the session data in a world-readable directory (such as the default /tmp) then anyone with access to the server has access to your session data. If you're in a shared hosting environment then your hosting provider has a duty to have done something about this. Then again, shared hosting is never an ideal environment.