I have been developing a site and login process using php and mysql.
It is now to the point where I want to encrypt cookies, but am unsure which way to go.
I have looked at mcrypt, but the last version on sourceforge is 3 years old.
Is it still safe to use mcrypt and libmcrypt?

I am currently encrypting passwords with md5 which I understand is actually a 1-way hash.
However, I would like to encrypt them such that it could be reversed so I can send back the user their password in an email, rather than generating a new password for them each time.
Is it really much of a security risk to do this?
(I will add salt to prevent dictionary attacks.)

Well you will compromise on security a little using 2-way encryption but if that's the functionality you want then that's what you're best doing. The fact that passwords can ultimately be sent in email unencrypted is a security compromise in itself.

Like with any encryption, using several methods in combination and concatenating the password string with a secret key string known only to your application will make it increasingly more secure.

You can also think about storing the password in the database using a 2-way encryption method (like mcrypt), and using a different 1-way encryption method (e.g. md5) for the authentication cookie you send back to the client.

I can highly recommend the PHP Cookbook (O'Reilly) which is an excellent book and has a highly informative section with examples on encryption and decryption using mcrypt and doing cookie based authentication. Otherwise, check out the user-submitted recipes on the PHP manual http://uk.php.net/manual/en/ref.mcrypt.php

The other way is to keep one-way encryption and get the user to fill out a 'password reminder' field and store it in a database. You can email that to them instead of the password.