2. "I think generally you assign the user a session ID when they login" In response to In response to 0
they pass this ID to the server on every page load (either via a cookie, a querystring parameter, or some other means). The session ID is used to lookup the user's info on the server side. This way, you're not passing around sensitive info on ever page load. You're just passing around an ID which is generally just a random number.
I'd be shocked if there weren't some PHP libs that handled all the heavy lifting for you. Back in my perl days I just used a module to implement the majority of this.
------------------------------------- <--- Stop being such an Internet troll, Nopayne