Important:
First some important security advices you should keep in mind:
Your questions:
Since, its a REST application, I will
have to use Cookies for session
management.. right?
using sessions would be safest(best), but of course there are a lot more solutions to session management. But if you use cookies only(no php $_SESSION) then you should of course encrypt your cookie. But I would advice you to just use $_SESSION.
What values do I store in Cookies?
You don't store anything in the cookies. $_SESSION creates the cookie(automatically => you don't have to think about it) for you which is unique. Everything you put into $_SESSION is stored on the server so the user can not read this. You could store whatever information you like to store in the session, but keep in mind that it is best to NEVER store sensitive data(pin numbers, creditcard, passwords, etc) in your application is possible. I have already mentoined that your $_SESSION is stored on the server, but the cookie which has an unique identifier to match with the session stored on disc(or database) could be guessed(spoofed).
How do I validate the session?
You validate session by inspecting the information stored inside the session. I assume you store at least $_SESSION['id'] = $openid->identity; inside your session. Keep in mind that after the user logs in to your website using openid you should regenerate your session(id) to prevent session fixation.
How do I logout a user?
you just call session_destroy and all the data stored inside the session will be deleted.
I hope this explained all your questions.
PS:
A session in the cookie jar gives you a basic introduction to sessions(although I don't see it mention session fixation :$).
