I reckon the best method of identifying a user is send an arbitrary token to the browser, and storing the token (server side) against the user_id.

One of the no-no's in web based applications is storing user data on the client, encrypted or not. The reason for this is you have no control over the information once it has passed to the client.

For example, if you are writing an applicaiton and send a session id to the client that is a two way operation, someone could sniff the packets, grab the information and reverse it. Once they have reversed it they may hijack the session. What you dont know are the resources your attacker has (They may have a cluster of E15k's at their disposal).

If you use a what is considered a one way function (such as MD5 or SHA-1) it is relatively impossible for an attacker to derive the meaning of your id. If you then store your generated sess_id along side your user_id at the server, you have complete control over the information. Identifying the user is as simple as looking the sess_id up in a database.

OTHO if your attacker has a cluster of E15k's you've got a bigger problem on your hands.. ;-)