You should never ever store plaintext or even decryptable passwords in your database unless you have generated them and the user cannot enter a custom one!
The most common way is storing the hash of the password in the cookie which is also in the database. However, this allows anyone to login by just knowing the hash - without access to the original password. So don't go by that way even though it's obviously the easiest one.
A secure approach would be storing a random, unique "login hash" in the database and setting this hash plus the user's ID in the cookie. That would not only make the password hash useless for logging in but also allow you to create a "log out everywhere" feature.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
