user credential authentication and persistence

I would sure appreciate some advice.



I've been programming in rpg for a few years and have some exposure to php,
but am still in the learning process. I am trying to get a feel for what
the best practices are for getting login information from a user and then
maintaining that throughout the application.



These are the questions I have:

1) Is there a preferred method for validating a username/password
combination? I know of the following ways but am not sure of their
pros/cons (other than in both cases a user could accidentally/purposefully
disable another user's login):

a. Simply testing a connection using the user/pwd that was passed
using POST (filtering it first of course for any injections, etc.).

b. Using the rpg api QSYGETPH (get profile handle), check if a profile
handle is returned and if so then authentication is successful.

2) Is storing the username/password as session variables sufficient
(especially if they are encrypted)?

a. I know there is a php function called mcrypt. Would it be
sufficient to use this function alone to encrypt these variables?

b. Someone here on midrange.com suggested using the Zend framework to
extend the Zend_Session_Namespace in conjunction with mcrypt to accomplish
this. My problem with this method is that we aren't really using the
framework at this point (we may in the future), but I am wondering what this
method has over a simple use of the mcrypt function alone.

3) Searching online, some have recommend storing the user credentials
in a database file instead of session variables. What are the pros/cons of
this compared to using session variables?



Thanks for your time and expertise!



Sheldon