There are browser cookies $_COOKIES, and there are session variables $_SESSION (whose ID is also stored in browser cookies).
In the browser, apart from the session ID, it is better not to store anything important, because it can be changed without problems.
All session data must be stored on the server side.
Use the setting of the session flag after successful authorization in the PHP script on the server side, for example, like this: $_SESSION['user']=$username;and everywhere check the presence and content of this variable:

if ($_SESSION['user']!="") { 
  //пользователь авторизован... 
}

Can be stored in cookies, can be stored in sessions. In cookies, store ONLY a unique token, which, if stolen, will stop working. Anything can be stored in a session, but the standard mechanism sets the session lifetime to SESSION.
Most importantly, the session identifier is in the cookie (PHPSESSID), many people forget about it. And if you increase the session lifetime, then session == cookies.

Of course, you can write a hashed password to the cookie so that each page checks the cookie for a match - login == db.login && password == db.password, but I'm not sure if this is correct.

it is right. not safe, but correct. not safe because you can go to the browser and steal cookies. but this is a different kind of problem. you can set the cookie lifetime = 0 and it will be session emulation, but without generating a cloud of session files.
those.
1. The user enters a login and password, they are correct.
2. Set cookies:
- ID - user ID
- HASH - md5(user_password_hash + salt ), where
user_password_hash - password hashed in the database
salt - salt
then on each page the request will be of the form further just compare $_COOKIE['HASH'] === md5($user['user_password_hash'] . $user['salt']) Pros of the approach
- the "session" is never destroyed (i.e. the user is always authorized) if you do not set the cookie lifetime = 0. For many sites where security is not critical, this is a very beautiful, easy and simple authorization option.