I've had good luck with an ip based tracking system which records a cookie to the user's machine. The cookie stores the ip address of the visitor the last time they visited the site. This works well b/c when a visitor returns to the site, his last cookie can be used as a lookup for his/her preferences file.
The login is a list of allowed ip addresses.
If the visitor's ip file says they are logged in the visitor is logged in.
As i understand ip spoofing, and please correct me if i'm wrong. ip addresses can be rerouted to look like it came from another location, but the actual ip address itself can NOT be spoofed. One ip for every net connection, so far as this is the case, it doesn't matter what the actual numbers are, just as long as they are unique. Therefore ip redirect/masking services are not a concern.
if i'm wrong about the ip spoof i would love to be corrected. I've been curious about this for a while.
Answer: How to remember who is logged in...