I know what you are talking about because I ran into that problem myself now that I'm re-designing my website
The way that I worked it out is your first idea, although I'm not using logged in users.. so I have some comments about that:
- For security reasons try to avoid the fields inside the html pages, although it is hidden.. but people can see it... so you might not want to include secure information there. and unless all your navigation is done using buttons to POST the form, your links will contain all the data as GET strings.
- I think that the best way to do this is to use cookies; but then again you will have to make all your users enable cookies in their browsers, but I think that it is a more "secure" (?) way for it, so your users can specify if they want to stay always logged in, or not.
- You can insert the right SSI now using information provided by the client cookie.
This might not be perfect, but I thought I'd share my idea.
He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.