make sure to use strip_tags on usernames, passwords, contact, and everything else.

Ok, create a session id using php, store that as a cookie. when people come back to the site, check to see if the session id is in a cookie. if there IS one, check the database to see if there is indeed one that matches. session id's are large and should be pretty unique, so it acts like an authenticator. when we find the row that matches the session id, we just load all of those variables into session variables so that we can easily use them across the domain.

Also, I think that if we sha1 the user id it could be more secure: find the row that matches the session id, get the user id for that row, sha1 it, compare to stored cookie.

If you are using shared hosting, then you better be sure your session data is being saved within your home dir and NOT web-accessible. If you are a shared hosting sysadmin, you should be doing this for your users automatically... as well as any other tmp files (file uploads, etc...).