where is my bad *** programmer avatar
best method to use is serialize and unserialize the user object
if you can return an object instanceof User then he's a valid user and you also have his current credentials including activity since he first logged in.
I call this my authorization object and have Authorization::getInstance() unserializes from session. throws exception if the user isn't logged in.
function inside authorization private function save()
moves object to a serialized session. used only when modification to authorization or user object is affected . else it remains the same as when the user first logged in.