I'd like to know if the following system is insecure please:
A user is allowed to check the "always signed in" (24 hours) checkbox upon logging in.
If checked, the "userkey" cookie is set to exist for 24 hours. So the user can exit out of the browser session and relaunch the browser and still be logged in. This works by my web server checking if the "userkey" cookie matches any userkey in the user database. If it does, it creates a logged in session for that user.
Is this insecure? Because a user can create a fake userkey cookie and see if it matches that of another user's userkey, thus successfully logging in as another user?
What would be a better way to do this?