So far I know a few things about the in-database password based authentication in FOST.3™¹ [1FOST.3™ supports a few other authentication schemes which are more secure.]:
What nobody seems to have discussed so far is what you put in the cookie. I think that an extra round of SHA1 would be good (maybe with an extra salt and possibly including the IP number in the hash), but I suspect a random string might be better (although getting a true random string from a computer is not easy).
What I do know for sure though is that although I'm not qualified to come up with a proper scheme, the current practice of putting the password in the cookie is an awfully bad idea.