[eluser]richzilla[/eluser]
'the top of the controller' you refer to is called the constructor. Its called whenever a new object is created from that class.
Sessions would seem to be the best way to achieve this, and there is nothingly inherently incorrect about using them for this purpose. CI sessions utilise browser based cookies and are limited to 4kb, so this is a consideration if you are already storing a lot in your session variables.
In terms of security, there are many posts on this forum concerned with session security, a quick search for session security shows up many relevant results.