For clarification on what each process that you stated actually is for:
1. PDO prepared statements eliminate the need to sanitize user input before using it in a statment since the driver does this for you. (Takes care of SQL injection).
2. Do not store sensitive data in sessions, I usually only store a hashed unique user id in a session which I use to get all the necessary user data from a database.
3. Adding salts to hashing algorithms makes it very difficult for someone trying to gain access to the original data using a brute force or rainbow table method.