No real reason not to go with AES with 256 bits. Make sure to use this in CBC mode, and PKCS#7 padding.
As you said, fast and secure.
I have read (not tested) that Blowfish may be marginally faster… However Blowfish has a major drawback of long setup time, which would make it bad for your situation. Also, AES is more “proven”.
This assumes that it really is necessary to symmetrically encrypt your cookie data. As others have noted, it really shouldnt be necessary, and there are only a few edge cases where there’s no other choice but to do so. Commonly, it would better suit you to change the design, and go back to either random session identifiers, or if necessary one-way hashes (using SHA-256).
In your case, besides the “regular” random session identifier, your issue is the “remember me” feature – this should also be implemented as either:
- a long random number, stored in the database and mapped to a user account;
- or a keyed hash (e.g. HMAC) containing e.g. the username, timestamp, mebbe a salt, AND a secret server key. This can of course all be verified server-side…
Seems like we’ve gotten a little off topic of your original, specific question – and changed the basis of your question by changing the design….
So as long as we’re doing that, I would also STRONGLY recommend AGAINST this feature of persistent “remember me”, for several reasons, the biggest among them:
- Makes it much more likely that someone may steal that user’s remember key, allowing them to spoof the user’s identity (and then probably change his password);
- CSRF – Cross Site Request Forgery. Your feature will effectively allow an anonymous attacker to cause unknowing users to submit “authenticated” requests to your application, even without being actually logged in.