You put the bolt on the safety, making the authentication cookie which is equal to the user id.
I suppose I come to your site, go to browser settings and set your cookie, say id=1, and so I went under admin on your site, or just under some other user. The only question in the selection id.
On this if you want to do such authorization, it is necessary that in the cookie was not associated with the user token of the input.
Entered user login/password, if everything is OK, create some kind of rubbish, like
token = md5(salt . rand() . id) // this part of your fantasy :)
save it in a cookie of the user in the database.
When the user visits the site, take the cookie and compare with the value in the database for that user. All.