in reply to How to make a secure website
Seriously, store only a session id in the cookie. Don't store a cleartext user id, and make sure you somehow make it impossible to calculate a valid session id. That is, the session id must be a large number - too large to be brute-forced. The distribution of the algorithm that produces the session id must be flat.
And - of course - make sure the login is performed over an https connection.
Other than that, make sure you properly process anything the users submit through forms or url tampering..