Or maybe there is a 4th option I don't know about?

AFAIK, the standard way to do it is using a session cookie with a value hard to predict. This value is an index into a table that maps to a user of your application. This is way better explained in this merlyn column (offsite) I read a few days ago.