[tudborg]

The cookie should not contain something computable at all. It should be some kind of session identifier, generated by your code when user:pass combo checks out.

And if possible, store the session information somewhere else than your database. Redis and Memcached is a nice fit for stuff like that.

[acveilleux]

Well, the cookie should not contain anything computable by the user. You could use an encrypted cookie to store session information to save a round-trip to the DB. In that case it should be impossible for the user to derive the key or modify without detection (so HMAC-SHA256, GCM, Poly1305 or whatever authentication mode is fashinable/applicable.)