Yes, you should be using sessions to store user information rather than cookies. The reason is because the user has no access to the session file on your server stored below the web root, but since the cookie is stored on their computer, they can edit or inspect it anytime they want. I think the method you are using to restore the session is secure enough, although someone could potentially restart someone else's session by entering a random string that happens to be the saved session for another user.
You might also remove the username from the cookie. Normally the username would be tied to the session in your table that tracks sessions.
It's not necessarily a really big deal, usernames are quite commonly public knowledge anyway (a person's e-mail address or their displayed name on the system), but I see no need to expose something that doesn't need to be when it's no more work at all to not expose it.