I would suggest you to change your system so that you
don't cookie the
password (
and no, don't do this ever again), but the username+public authentication key for that user, (gathered from the last logintime perhaps) which combined with a serverside
private key (hidden in your loginscript for example) produce a succesful logon when tested against the database. For this you could use an "active users" table where you have 3 columns
1) user,
2) timestamp, and
3) the loginhash, which you update on every logon
a simple walkthrough on how it would work
1) login -> check for "remember me" -> store a time variable $time = time();
2) update active users table with current time, username and the hash comprised of md5($username.$time.$privatekey)
3) add a session cookie ($_SESSION['auth'] = "yes") so that you don't need to check the db every refresh
4) add an active user cookie ($_COOKIE['active_user'] = $username.$time; )
now for every page requiring logon, you can first test if the session is available, and an active user is set in the cookie, and retrieve the user info;
if the session isn't valid, then read the active_user cookie and match the hash made from the inners + the private key with the active users tables hash columns; now if a match is found, check the fields of that row and make sure the user is the same and timestamp is not too old or invalid, if you smell fish -> force relogin; otherwise you're ok and can get the user info safely... and with no password saved in a cookie
Edit: If this does not make any sense to you - I'm sorry, but I'm very tired atm... I'll check on this topic when I've slept for more than 2 hours in 2 nights
