I'm trying to create a cookie to keep my website's users logged. I let the person log in from multiple devices. Well can I create one identical cookie for all user's devices? Or should I store multiple different cookies for different devices (and why)?
Actually I don't see any problem with having one common cookie for an specific user on multiple devices. Also that cookie isn't changeable. That will be always fixed until the user changes his password. I create that cookie like this:
md5($password.$user_id.$username);
That cookie is based on the password because I want to log-out him when he changes his password, otherwise he will be logged into all devices that he already logged.
Am I doing that right correct?
The cryptographic hash algorithm MD5 has already begun to be broken, mainly in regards to its collision resistance property, as well as preimage resistance slightly. See the Wikipedia article, in the security section.
Therefore I would not use MD5 for anything slightly security related. A similar story with SHA-1 in that it has began to be broken, so I would use SHA-2 if you do indeed need a hashing algorithm.
The problem with your approach is that you cannot revoke the token from individual devices easily. Also having password as input to your algorithm could make it vulnerable to a hash cracking attack, should the other values be known. Don't rely on your method being secret either, Kerckhoffs's principle states "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.".
Also another problem with your approach is that your hashing algorithm needs plaintext access to the password, which could suggest you are storing passwords insecurely. In short ensure you are using bcrypt for password storage. Of course, you may be creating the cookie and storing a server-side version of it at a point where the user enters their password, however given that you want to invalidate cookies automatically upon password change makes me think not.
The most secure way to manage devices with tokens is to generate a 128-bit random token per device, and store this hashed with SHA-2 in your database. Ensure a CSPRNG is used to generate the token.
Therefore:
Cookie value: 128-bit token
Database value: SHA-2(128-bit token)
Note that salts are not required for values of such bit strength. Then when a user changes their password, you simply delete all server-side tokens for the user. Additionally, you will be able to allow the user to revoke tokens for different devices individually without any password change required.
The reason for hashing on the server-side is to mitigate any session hijacking should an attacker gain access to your sessions table.
Am I doing that right correct?
Unfortunately no.
By creating cookies with this design: md5($password.$user_id.$username), you are implementing them in their most naive approach. A basic rule of thumb is to never store user's credentials within a cookie. This is valid for whatever powerful the hashing algorithm you use may be. And for the MD5 algorithm you are using, it is not that strong (Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH)
Or should I store multiple different cookies for different devices (and why)?
You do not have to. Useless. And as a good security principle, never add functionality (code) to your software if you do not need it otherwise you may enhance the attack surface.