I'm looking for a short tutorial about creating a login page for a website using cookies.
Each user has a username and a password.
Should I save both the username and the password in the cookies ? or just the username may be enough ?
Can a malicious user steal somehow these cookies and pass the authorization ?
It's not a good idea to store the password in the cookie. If you store just a username, your system is basically completely unsecure. Remember that the client has complete control over the contents of cookies it sends to the server. It can send any username it wants. You should create an authorization token for the specific session (probably with an expiration time associated with it) and store that in the cookie. To prevent tampering with the cookie, you should sign (and encrypt) it on the server and validate the signature.
That said, doing that correctly is not an easy task. Don't reinvent the wheel. Use the authentication mechanisms provided by your platform.
There are many ways to do authentication in PHP. Just google one http://www.developertutorials.com/scripts/script-details/307067.php
You will want to store you user's passwords in a database, and keep obfuscate them in some way. PHP has a built-in function called md5().
Here's a guide on php.net to help you through.
http://php.net/manual/en/features.http-auth.php
I'f you're having trouble grasping these concepts, then I'd recommend working through a php framework. My framework of choice is cakePHP, which makes stuff like authentication a breeze (another top framework is Code Igniter).