This method is what most login systems use. People supply user name and password, they're checked against the database, then the user name and a unique hash generated from user name and internal site key are stored as cookies. You could also theoretically store an expiration date (48 hours?) along with the user name and create a hash based off both.

The only problem with this system is that once a user is logged in, he stays logged in regardless of what the database says about user status. But this isn't a major problem if you check user status on every event (posting, voting, etc.) and combine that with login expiration and user check every x number of page views. You could also just ban his IP mask from Apache until his expiration runs out by using a .htaccess file:

ErrorDocument 403 /youbanned.html
order allow,deny
deny from 123.456.789.
allow from all
[download]