Later I was asking how to logout correctly a user, now I seeing that using only cookies to keep a user logged in is not secure at all.
Keep the password in a cookie
First, let me tell you this. Nothing is 100% secure. Nothing is air tight, and nothing is sacred. If motivated enough, an attacker will break every server-side defense you may put (unless you are using HTTPS, which is a different story).
You may use cookies, but cookies are highly exposed and easily modified. Never store private data, or access levels in a cookie. As it is easily stolen/modified by an attacker.
Sessions are not 100% safe either. The session ID, which the server uses to identify the client, is sent by one of 2 ways. a $_GET variable (bad), or a cookie (better, but still pretty bad). Meaning, if you are logged in as the administrator, over an unsecured WiFi, a skilled attacker (and by skilled I mean a pr0 haxx0r that downloaded a simple HTTP sniffer) can easily steal your SESSION ID. And while not getting your password, the server will wrongly identify the attacker as you, and grant him any access you may have/had.
So what to do? Sessions are on most cases safe. Advise your users to not log in under an unsecured network (buses, internet cafes, etc.). If you want to allow your user authorization to persist over time, a cookie is required. I usually use a 2 cookie system if I need that:
userid=12345
hash=password_hash($userid . $hashed_password, PASSWORD_DEFAULT)
Then I have something to match against, and the user's details weren't revealed.
But like I said, in the end of the day, if you really REALLY wanted to secure your users, in above to everything else written in this answer, get yourself HTTPS.