Let me just say this:
you can not relay on others when it comes to security, so cookies is out of question, because most of the internet users have no idea how to protect their computers, they don't even have antivirus programs. That said, if you want have a secure connection with your clients, don't use cookies, because cookies can be compromised on the client's computer. Keep session expiration time as short as possible (obviously too short will be annoying). Using cookies for auto login won't be a problem for security, as long as the user being asked enter their password before they can do any changes (or even view details) in their profile or before any money transaction occur.
I don't know what is it you are trying to do exactly, but if it involves payment transaction, I think you'd be better find an ecommerce or something, someone who knows "how and what"...
P.S.
These are my personal thoughts based on what I witness on the internet. I can be wrong, never had any experiences with "shops".