1. That is correct. However, never store raw passwords in the database or the cookie so that a hacker can not see them. Hash the password via SHA1 or MD5 in both the database and the cookie, that way even if the hacker gets the hash he doesn't know the user's password.

2. Always validate the information with the database on every page which they need to be logged in on.

3. You can edit POST just as easily as GET, but POST is not as visible so use it. Just validate the data you get from POST and you will be fine.

I prefer using database sessions to validate the user. This may be a tad too advanced right now, but every time the user logs in make a randomly generated key, store that key in both the cookie and the database (along with the user's ID), use those to match the login with. That way if a hacker grabs the users cookie (or even gets your database), it is useless after the user logs out.

__________________