I reject leaving data on the client and passing it in headers that have to go through various proxies and app forwarding and such especially where HTTPS is not completely enforced.

Sure, that's definitely a concern. Personally all I store in the session is some identifier, like the username, and keep the rest on the server. (I posted some sample code at 11114043 and 11114542).