For clarification on what each process that you stated actually is for:
1. PDO prepared statements eliminate the need to sanitize user input before using it in a statment since the driver does this for you. (Takes care of SQL injection).
2. Do not store sensitive data in sessions, I usually only store a hashed unique user id in a session which I use to get all the necessary user data from a database.
3. Adding salts to hashing algorithms makes it very difficult for someone trying to gain access to the original data using a brute force or rainbow table method.
Validation should always be executed on the server primarily. It is suitable to have javascript validation only as an added layer on top of server side validation. If you rely solely on javascript to perform validation, a user can simply disable javascript on their machine, thus disabling your validation handling.
