1. Only if you need this address for its further use, because validation in our online stores, as a rule, takes place over a phone call - which allows you to verify the presence of the user and the order (almost 100%). In fact, the address can be confirmed even after working with the online store and in return give some sweet buns, and then send mailings with new arrivals in areas that are of interest to him.
2. There is a sense of the checkbox being enabled by default, but if a person does not want to, he will simply uncheck it. Many non-advanced users do not think about it now, having accepted by default that the site remembers them. I also recommend going over popular services such as classmate, vkontakte, etc. and look at how they do it and not give up on it - the similarity in visual terms and the behavior of standard sets of controls is one of the notable parameters of a user-friendly interface.
3. I would recommend to bind not only to the username (or just NOT to it), but to the browser data - the username is always the same for the session, but if you bind to the browser data, then stealing the cookies with the session, the villain will have to spoof and all browser identification data.
4. In theory, a session is needed in order not to climb every time for a check. Now you have nonsense - why check the same login with a password in the database from the session, if you yourself put them in the session? How can they differ? The user is not allowed to change the session data, this is done by your script.

1 and 2 - the simpler for the user, the better
3. Salt is more than desirable.
4. I advise you to read about sql injection :)

everything below is subjective
1. for an online store, this is superfluous. The best thing is to use three options: order without registration, registration through openid, regular registration.
2. has, it is very convenient. just make the title on the checkbox with a short explanation why this is.
3. salt is needed in order to “aggravate” the hash, and most importantly, so that there is one hash in the database (and next to it is the salt) and write to the session with the salt.
4. I usually put id=1 and password md5(rand()) in the "guest" cookie, and on the pages I already check if the id value is greater than 1, then I do identification, if 1 then not.
don't forget about mysql_escape()

1. Without soap activation, at first glance, it is easier and more convenient. But I think it will be unpleasant for the user to find out that he made a typo in the email field when he needs to recover the password to the account. Although it also depends on the purpose of your service, it may not be necessary to bind to soap as such.
3. Are you using your bike? What for?
4. > I check if there is session data, and then I have a mandatory request to the database
, and miracle scripts grow out of this, putting cancer on any server. Request here, request there. Do not be lazy, do it humanly right away, besides it is more convenient.

it is not clear why points 3 and 4 are needed at all.
I would also understand if the token was one-time, otherwise you just repeat the existing session mechanism, hanging some extra bells and whistles on it.
store the user_id and some is_logged flag in the session and clear the session when logged out.