[eluser]a&w[/eluser]
This thread is a little old but I'll post anyway.
Chris Shiflett has a book "Essential PHP Security" where he gives suggestions on how to persist logins, if you must. The rough throws of it is:
that you store 3 more fields in your user database: identifier, token, and timeout.
the identifier is an ecrypted hash of the username and salt:
Code:
$identifier = md5( $salt . md5 ($username . $salt) );
the token
Code:
$token = md5 uniqid(rand(), true) );
store the cookie with a value of $identifier:$token
The timeout stored in database should not exceed 7 days.
Every time the user logs in regenerate the token/identifier in the database and cookie so that particular cookie can only be used the one time.