The only thing that sessions store in a cookie is the session identifier. It's a MD5 or SHA1 hash (depending on your php.ini settings). It contains no sensitive data which anyone could easily steal. The rest of the data is stored on the server, and it's only accessibly with the right session identifier.
Storing the username/password directly in a cookie, without sessions, would obviously be more insecure.