Possibly the best approach, as has been suggested and what most third-party apps do, is to create a “user_sessions” database table with the following fields:

session_id (var_char)
user_id (int)
ip_address (var_char)
last_logged_in (unix timestamp)

Then use a cookie to store an md5 hash of whatever you like, possibly:

md5($username.$ip); //since md5 has a lot of reverse look ups now you should use a number of fields to validate. You could use a different crypto function to make it more difficult to crack, but md5 is the simplest version available in all php versions.

EDIT: You will then compare the stored hash from the cookie with the database session_id to see if they have already logged in. The reason to combine a couple of fields in the md5 function is to create a less “guessable” hashing format. It makes it less likely someone will be able to edit a cookie and login as someone else.

This could be done for all users (this way you can track who is online) and just set a “persistant” login variable in the cookie. eg.

p_login=true || p_login=false

That way you’ll know whether to auto login or force login.

note: You may be able to look at http://www.openwall.com/articles/PHP-Users-Passwords for a different way to hash passwords, session_ids and users.