I'd like to use the "cookie" session adapter from Lithium. After the user logs in I'll create a cookie with his hashed password. If this cookie is present and the hashed password matches the one from the db, I'll log him in automatically.
Is this safe?
ok, I'm not talking about having the actual hash in the cookie, but an encrypted hash. I don't want anyone to find out how that hash looks :) Lithium has "strategies" that encrypt any data that you store in sessions with a "secret", so the hash would be encrypted. Basically I'm asking if Lithium's encryption is good enough. Has anyone worked with Lithium?
It depends on your hashed algorithm. Use salt to make your hash more secure:
Safe Password Hashing and
Remember, the hash of the password is effectively the same as their password. Somebody who stole the hash would have the same access to the user's account as if they had stolen their password. Therefore it is not advisable to store a hash of the user's password in a cookie unless there was some other information not stored with the cookie that is used to authenticate (i.e. 2-factor authentication). Gabe in this Answer.
And also can checkout these links:
Is it advisable to store a hashed password in a cookie?
Secure hash and salt for PHP passwords