This is a branch of another question: What is the best way to implement "remember me" for a website?
The top answer is to implement this: http://jaspan.com/improved_persistent_login_cookie_best_practice
A summary:
Use a random number as a Series Token, and another as a Login Token. Place those in the Stay Logged In cookie, along with the username. Assign a second, normal Session cookie. Each time a user arrives without a Session cookie, consume the Stay Logged In cookie. Issue a new one, this time with a new random Login Token, keeping the Series Token the same.
Why include the username? How is that helping? The Series Token should be enough to identify the user and series. The Series Token was added in this approach to prevent a DoS attack where an attacker just guesses all usernames and hits the site all at once, logging everyone out. But why does it make sense to leave the username in at all?
The username and number are looked up as a pair on the server before issuing a new session cookie. Without the username it would be less secure (could replay using a different user if you stole the number) and harder to lookup.
My guess on this:
The username is for audit. If you require the client to send it together with the token for authentication, then you know which user attempts to be authenticated. Which allows you to react in some sane way to the token being wrong.
If you only ask for the token during auth, then you don't know which user actually tries it and on a match just grant someone access but can't do anything on fail. Someone can just try to blindly go over them.
With that in mind let's say we settle on using both username and token. Now if token is wrong we can remove all the other tokens for that user. But that opens up the system to DOS. Attacker can log out anyone at will. So for that series is added.
It does not have to be username, some other info that will allow to identify the user will work too.