Remember me Cookie best practice?

Question

I read about many old questions about this argument, and I thought that the best practice is to set up a cookie with username,user_id and a random

Answer 1

I always knew that the "remember me" feature only converted the session cookie (i.e. the cookie with the session ID) from expiring when closing the browser to a future date, it doesn't involve saving additional data, only extending the session.

And yes, if an attacker gets the cookie, it can impersonate the user. But this is always valid, and has nothing to do with "remember me".