For well over a decade, the browser cookies to "remember" login for a week made use of little more than the username and a password hash, stored browser-side. When returning to the website, the browser would send the cookie values to the server and perform a login process similar to the regular form submission.
Generally, this wouldn't pose any issues, but if someone was to gain access to the Web browser or perform a man-in-the-middle attack, it could be possible to gain access to an account with brute force password decryption on a weak password* then combine that with the username.
Cookies now use tokens that are unique to each login session. Any member can view all active tokens within My Settings and purge any suspicious tokens to invalidate future access on any other device without re-login. This also helps when using a shared device and forgetting to logout afterwards, as killing the long-term session token would prevent access to the account after about an hour.
By @HullBreach
JinxCade
