You don't seem to have a clear vision of sessions and cookies!
No authority can modify the contents of a session other than your code (other than attacks). This way you can store everything (reasonable), for example, user id or username , which you need to access often. in cookies you must store some obfuscation information that you can find out later when it tries to access your page. therefore, based on the contents of the cookie, you can regenerate the user session (i.e. automatically log in automatically). Just note that the user MAY change the contents of the cookie, so for security this should not be anything simple, like user id .
I just give you a simple example, this is far from ideal, but not so bad! you may need to configure it according to your scenario:
here you can create cookie content as follows:
$salt = substr (md5($password), 0, 2); $cookie = base64_encode ("$username:" . md5 ($password, $salt)); setcookie ('my-secret-cookie', $cookie); // and later to re-login user you do: $cookie = $_COOKIE['my-secret-cookie']; $content = base64_decode ($cookie); list($username, $hashed_password) = explode (':', $hash); // here you need to fetch real password from database based on username. ($password) if (md5($password, substr(md5($password), 0, 2)) == $hashed_password) { // you can consider use as logged in // do whatever you want :) }
UPDATE:
I wrote this article that covers this concept. Hope this helps.