You should avoid putting the password into plain sight, especially when it's ultimately unnecessary - leave any critical information such as that (hashed or otherwise) stored behind a lock and key, and only use it when you need to.

It should be more than sufficient to store their user id, a session id (the unique token) and for a little extra security you can hash the user agent and store that too. In my own authentication script I hashed the ua with a random salt stored in the authentication table (similar to how the password was hashed) and concatenated the three values into a single string which was stored in the cookie.

The method that checked the authentication knew how to read the string and could split it up into its parts (don't use something like a seperator, if you're using a hash you should know the length of each value) and then run them against the data stored in the session table. This is just one way, there's a lot of others that work quite well. Just avoid putting the password out there into the world.