Using a session ID cookie is probably the best idea. The user only has to send their username and password once to you. It is also faster to lookup a number instead of a user name and then verifying the password.