However, if you REALLY want to get into security, you could go all out and implement a ticket system.
Read on for ticket system.
Upon successful login, cache browser type/ver, client ip, time of login, user ID, and generate a ticket id.
Store ticket ID only in the cookie. Do not even need username!
Upon page refresh, lookup the ticket, compare current browser type/ver, client ip, check time of login for timeout status (reset if required), then, if all pass, just fetch the user's record via user ID.
No need to mess with messy passwords. Even if a ticket cookie is stolen, it's properties won't match up against what the thief is using.
In addition, you could seed each FORM based page with a one-up authorization code, to be compared upon POST. Both the ticket cookie and the posted auth code must be correct in order to process.
But this is only if you really want to go all-the way.