If you're going to manually create the authentication cookie, then you need to make sure it's set to "HTTP only". This ensures that the cookie cannot be stolen via a Cross-Site Scripting vulnerability.
If you want the user to be remembered, then simply increase the duration of the authentication ticket:
DateTime utcNow = DateTime.UtcNow;
DateTime utcExpires = loginUser.RemeberMe
? utcNow.AddDays(5)
: utcNow.AddMinutes(20);
var authTicket = new FormsAuthenticationTicket(
2,
loginUser.Username,
utcNow,
utcExpires,
loginUser.RemeberMe,
string.Empty,
"/"
);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
cookie.HttpOnly = true;
if (loginUser.RemeberMe)
{
cookie.Expires = authTicket.Expiration;
}
Response.Cookies.Add(cookie);
Attempting to "remember" the user's password is an extremely bad idea, and will lead to serious security vulnerabilities in your application.
How to build (and how not to build) a secure "remember me" feature | Troy Hunt[
^]