Remember me Cookie best practice?

Question

I read about many old questions about this argument, and I thought that the best practice is to set up a cookie with username,user_id and a random

Answer 1

if your cookies are stolen anyone can log into your accounts. it's actually what firesheep does. the security lies in the random token. the whole system assumes cookies can't be stolen. the only other way to get in then is to guess the random token. if you make it long enough it should be nigh-impossible.