PHP: a secure way to keep login information

Question

After reading this and all related questions, I'm still having an issue.
I'm trying to implement a login form with a "Remember me" functionality. Earlier I had been using a cookie (which contained only a hashed username, no password) to verify whether a user has already been logged in, but I've read that this is not too secure so I've decided to stick with sessions only.
In the beginning everything works as needed:

$expires=isset($_POST['rememberMe'])? time()+(60*60*24*14): 0;
session_set_cookie_params($expires, "/", ".example.com", false, true);
session_start();

But I want them to be able to open pages directly (such as http://example.com/blog) if the "Remember me" is set. Obviously, I do a session_start() and redirect to the login page if the user is not logged in. However, at this point I can't do a session_set_cookie_params() correctly since I can't know whether he/she had set "Remember me" earlier or not. If I still put this into a cookie, would it be secure? Or should I modify my database to do this?
And one more thing: is it secure to keep session data (no passwords, again!) such as user name, permissions and so on, for two weeks?

Answer 1

If you properly store a random generated key in your database, I can't see how this is not secure.

You should generate a random key, store it in your database and then register a cookie with it. When the user requests he will send that cookie to you, which will verify the key against the database and provide the access if it's alright.

Remember that the underlying mechanism of sessions actually use cookies. The danger of someone stealing your "remember-me" cookie also exists for your session cookie, so if you think that the "remember-me" scheme is not safe, your whole session system is flawed.