1.) On my common.inc.php script I have this

PHP Code:
$username $_COOKIE['Bestwebusername'];
$logged_in $_COOKIE['Bestweblogged'];
$cookie_password $_COOKIE['Bestwebpassword']; 
I have a function called printHeader()

and it looks like this
PHP Code:
<?php
function PrintHead ($title) {
   Global 
$username;
  Global 
$cookie_password;
  Global 
$logged_in;
  Global 
$title;
  
    
$SQL "SELECT * FROM bweb_users where username='$username'";
    
$result mysql_query($SQL);
    
$rows mysql_fetch_array($result);
    
$pass $rows[password];

    if (
$pass!=$cookie_password):
         
setcookie("Bestweblogged","",time()-155555"/"""0);
        
setcookie("Bestwebusername","",time()-155555"/"""0);
        
setcookie("Bestwebpassword","",time()-155555"/"""0);
    endif;

?>
  <html>
  <head>
   <body class="body" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
   <?php   include("C:/xampp/htdocs/loginbox.php"); ?>
2.) loginbox.php file is something like this:

PHP Code:
    <?php  
    
if($logged_in=='yes'):
print 
hello $username;
else;
print 
"html login.php form;"
    
endif;
3.) Login.php script is comparing form_username and form_password with the mysql equivalents and (if true) throwing these 3 cookies

PHP Code:
 setcookie("Bestweblogged","yes"time()+3600"/"""0);
 
setcookie("Bestwebusername","$form_username"time()+3600"/"""0);
 
setcookie("Bestwebpassword","$pass"time()+3600"/"""0); 
So, my question is. Is this way somehow safe?
Basically I am throwing them 3 cookies

username
password (md5 of course)
login status (Y or N)


Even other users(hackers) go change the cookie username value to something else. Since they don't know the password they can't get in.

I read on PHP.net site that people steal cookies. How is this possible?

I am not leaning towards the use of sessions(yet) since I want my visitors to be able to come back and read the messages without needing to log back in. This will be for a forum.

Thanks in advance and sorry, about these beginner questions.