I don't know how you said its hackable. Use sessions for logins and cookies just for remember me options. I don't think you want the user to get logged in directly rather you want his/her username/email to be displayed in the form if he chooses remember me options.