It seems that you don't have a clear vision of sessions and cookies!

看来你对session和cookies没有一个清晰的认识！

No body can change the session contents except your code (beside attacks). So you can store everything (reasonable) like user idor usernamethat you need to access frequently. in cookies you must store some obfuscated information that you can recognize user later when he/she tries to access your page. so based on cookie content you can regenerate users session (ie. re-login user automatically). Just to note that user CAN change cookies content so it must not be something simple like user idfor security reason.

除了您的代码（攻击之外），任何主体都不能更改会话内容。因此，您可以存储所有（合理的）喜欢user id或username需要经常访问的内容。在 cookie 中，您必须存储一些混淆信息，以便稍后当他/她尝试访问您的页面时您可以识别用户。因此，基于 cookie 内容，您可以重新生成用户会话（即自动重新登录用户）。请注意，用户可以更改 cookie 内容，因此user id出于安全原因，它不能是简单的事情。

I just give you a simple example, it's far from perfect but not so bad! you may need to tailor it to fit your scenario:

我只是给你一个简单的例子，它远非完美但还不错！您可能需要对其进行调整以适合您的场景：

here you can create cookie content like this:

在这里，您可以像这样创建 cookie 内容：

$salt = substr (md5($password), 0, 2);
$cookie = base64_encode ("$username:" . md5 ($password, $salt));
setcookie ('my-secret-cookie', $cookie);

and later to re-login user you do:

稍后要重新登录用户，请执行以下操作：

$cookie = $_COOKIE['my-secret-cookie'];
$content = base64_decode ($cookie);
list($username, $hashed_password) = explode (':', $hash);

// here you need to fetch real password from database based on username. ($password)
if (md5($password, substr(md5($password), 0, 2)) == $hashed_password) {
    // you can consider use as logged in
    // do whatever you want :)
}

UPDATE:

更新：

I wrote this articlethat covers this concept. Hope it helps.

我写了这篇文章，涵盖了这个概念。希望能帮助到你。

You should be storing the random session value in the cookie. You definitely should not be storing any information about the user in the cookie itself. You can then check the session id in the cookie on each page load to ensure that (a) the user should have access to that content and (b) that the session ID is valid.

您应该将随机会话值存储在 cookie 中。您绝对不应该在 cookie 本身中存储有关用户的任何信息。然后，您可以在每次加载页面时检查 cookie 中的会话 ID，以确保 (a) 用户应该有权访问该内容，以及 (b) 会话 ID 有效。

In PHP you can use session_set_cookie_paramsand session_nameto set the parameters of the cookie.

在 PHP 中，您可以使用session_set_cookie_params和session_name来设置 cookie 的参数。

For who may prefer using cookies (So you can access it long time later even if the browser was closed) this is a safe way to store even rough ID in cookies:

对于那些可能更喜欢使用 cookie 的人（即使浏览器关闭，您也可以在很长时间后访问它）这是一种在 cookie 中存储粗略 ID 的安全方法：

1. Create a new field in users database name it X.
2. Generate a cookie to keep the user ID.
3. Generate a safe (say long) RandomStringand keep it in another cookie.
4. Also save that random string in the filed of X.
5. In members area check if cookies of IDand RandomStringmatch the database information.
6. Clear column X when user signs out and generate data for Xon next login.

1. 创建用户数据库名称的新领域中，X。
2. 生成 cookie 以保留用户ID。
3. 生成一个安全的（比如长的）RandomString并将其保存在另一个 cookie 中。
4. 还将该随机字符串保存在X的字段中。
5. 在会员区检查ID和RandomString 的cookie是否与数据库信息匹配。
6. 用户注销时清除 X 列并在下次登录时为X生成数据。

To prevent library attack to match that random string, you may also force logout as soon as the check fails or blocking that IP for a certain time.

为了防止库攻击匹配该随机字符串，您还可以在检查失败或阻止该 IP 一段时间后立即强制注销。

User cannot edit session variable, these are managed on server.

用户不能编辑会话变量，这些是在服务器上管理的。

Session Variable Advantage
1.)Secure
2.)Robust

会话变量优势
1.) 安全
2.) 稳健

Session Disadvantage 1.) Short life time, untill session exist ,

会话缺点 1.) 生命周期短，直到会话存在，

session get destroyed
when user close his browser server restart
session destroyed using session_destroy();

会议被摧毁
，当用户关闭他的浏览器重新启动服务器
会话中使用session_destroy（）毁灭;

So session is more secure

所以会话更安全

Cookie on the other hand let you remember user prefrences

另一方面，Cookie 让您记住用户偏好

If you use combination of both , then its advantage to your code

如果您使用两者的组合，那么它对您的代码的优势

You can store userid and username in cookie, then verify user identity using its combination.

If its not exits then you can login user and keep info in session as well as update cookie.

如果它没有退出，那么您可以登录用户并在会话中保留信息以及更新 cookie。