Adding JWT support to the server. Signing a JSON object as a payload and sending the signed token to the browser on authentication.
Yeah, check this: https://openid.net/specs/draft-jones-json-web-token-07.html
And you definitely don't want to put anything in the payload that is sensitive. Play around with http://jwt.io/ for a little bit and you can see that the information can be decoded regardless of the secret.