The internet is full of opinions when it comes to implementing authentication and the use of sessions/cookies. We all agree that storing passwords in cookies or setting a value like admin = true is a very bad idea. We also have to deal with the prevention of XSS cookie stealing. (appending document.cookie to an <IMG> element src attribute or whatever)
In many cases we also want to prevent that a 'saved' cookie will successfully authenticate a different client or device when copied.

In your experience, what is the right way to handle authentication? In PHP, JavaScript or whatever language / framework you happen to prefer?