I find it easier to simply store the session_id in the cookie and then use $_SESSION to store the user's ID, then there's no need to create an entry in the database to match the user (unless you store sessions in the db but that's another subject).
I don't store the password in the session. However, sometimes I choose to store the hash of the password in the session (actually, it's a hash of what is stored in the database so it's a hash of a hash of the password). Then I use this hash on every page request to check if the password the user used to log in with is still valid. In this way if the password is changed - either by the user or directly in the database by an admin - then all sessions of this user are immediately invalidated so it's good for security.