>>>Simplest way to do this is to set a cookie with their username and password and have the login page attempt to use that cookie first, right?

yup!

I plan on also encrypting the username and password for the cookie... or at least obfuscating it.

Think it'd make sense to also have the system check that the UA or IP stays the same? Or is that just overkill? :)

>>> I plan on also encrypting the username and password for the cookie
good idea.

As for storing the ip address, well, it's not overkill because there is no such thing as overkill in my book :), however, not everyone is going to have static ip addresses. I guess though, in that case, they just have to login again :)

I've also read that instead of setting a username cookie, a unique user-id should be implemented. Again, i've only read this and don't know the positives and negatives of this approach.

...just a thought...

If a "Remember Me" forgets me because my IP address has changed I would consider it to be broken, as an end user. My own IP does seem to change on occassion. That's why I don't opt-in to "Restrict Access to this IP". And, what if your users are behind AOL, or others?

You could provide an extra layer of security, and comfort for those users with a static IP by offering an option for "Restrict Access to this IP".

however, not everyone is going to have static ip addresses

It's worse than that. Large numbers of people are sitting behind NATs and they'll all have the same IP address. There's also providers, like AOL, that use proxy farms and you'll see many IP addresses for the same user.

I was about to type that our conclusion would be to not include the ip in the cookie, and then i remembered that WebmasterWorld uses cookies and that you can see what they have set. So i took a look [webmasterworld.com], and discovered that my ip address was one part of the cookie value, along with other characters. So now i guess they use the ip address, along with some other value, together to identify that the computer is unique; the question now is what?

They might use the IP for some other reason; or someone might've made a mistake... Unless your users are exposing the same fixed IP, it doesn't offer any real extra security and will most likely make it look 'broke'.

Why not do a one way crypt on some combination of the user/pass so that the actual u/p isn't exposed should someone root through the cookies.

e.g. $cookie=md5($user.'some_random_secret_stuff'.$pass.$db_row_id);

..then when you check your cookie against your db, just compare against the crypted version of the fields; off top of head query:

SELECT * FROM users WHERE md5(concat(user,'some_random_secret_stuff',pass,id))='$cookie';

Of course, you could still get in by copying the cookie to another box I suppose, but if you can do that, then you probably don't need to break in anyway...

I'm going to include lax IP address checking, basically just for logging of IP changes. If it becomes a problem, I'll get more strict. :)

I am going to be strict on User Agent, nuking the cookie if the UA changes at all.

I ended up setting up blowfish encryption anyways, so I'm just going to use that for this cookie and put the username, password, and a primary key to a row in a "remember me" table that contains UA and IP details.

I need to add a "logged in via cookie and needs to re-authenticate to change their password" logic so that a hijacked cookie can't be used to lock out the actual person.