Store hashed passwords to database and store that to a cookie. That's one possibility (allthough it could be improved, it might be considered somewhat secure).
After the user comes back to your site, just take that info from his cookie (ensure it's SQL safe first) and check it against database.
First, the only domain that can read the cookie is the one that set it (unless specified otherwise when setting the cookie).
And second, what prevents me from copying my WHT cookie and pasting it to my laptop?
Only thing you need to worry about is that cookie should contain hashed data that's difficult to amend to fit your system (guessing the hash so the attacker can login as someone else).
When your users register, they usually choose a password. Most of the user systems store hashed versions to database (using SHA1 or MD5 algorhytm).
That way no one knows what's the actual users password (except user himself).
That's why it can be considered "safe" to put that hashed password to a cookie since reversal process cannot be done (allthough that's another issue).
I hope this is somewhat more clear. If not I'll try to make it more understandable..
What stops a user from taking their cookie and using it on another machine? Like above -- not much... Although perhaps you could do something like store their IP Address in a cookie, and then match it up from their first IP Address in the DB -- this is considering "everyone" has static ip's... otherwise it could cause problems.
Originally posted by lucid I can see the point in encoding the password etc.
But what would stop me writting some spyware that harvests, say, amazon.com cookies, send them to me and then letting me use them to access peoples accounts?
If you were to write a spyware, why limit yourself to cookies? Why don't you search for history to see credit card numbers etc?
As 2detailed said - you can increase security by binding users to 1 IP, but also - lots of people are on dialup and have their IP changed at every reconnect.