This is basic web app session management with cookies and OpenID doesn’t make a difference here at first.

No, absolutely do not store the username and password in the cookie. Cookies act as “bearer tokens”, meaning whoever has the cookie gets in. The best thing to store in a cookie is an unguessable and arbitrary key that you can use to look up real information in a table in your application. So, the user shows up with a cookie of “myappsession” and a value of “234871nb341adf” tied to your domain. Your app would then look up the value of “234871nb341adf” in a local data store and see if it’s tied to a valid user. You’d be best served to also check how long ago that user was there and whatnot. If it’s a valid session and it’s within your time and usage limits, the user is logged in automatically.

For extra paranoia from the RP side, you can make use of the checkid_immediate mode of OpenID to make a background call to see if the user is still logged in to their IdP. If they’re not, then you at least know which provider to try to send them to for re-validation and can provide a better user experience.

If you want your site to be really secure, you should do all of your sessions over HTTPS and tag your cookies as both “Secure” and “HTTPOnly”, which is documented on the setcookie function manual page: http://php.net/manual/en/function.setcookie.php