Without encrypting the HTTP session using SSL (i.e. HTTPS), there is no method of storing information in a cookie that is secure since the packets containing the cookie are sent in the clear over the net. I don't even need to decrypt the password to use such a cookie, if I can get my hands on the packets as they pass from the client to the server.

That said, I'd think that for most many non-commerce uses such a system is sufficient if there is a call to a cookie destructor at some point. Either a short expiration date on the cookie both on the client side and on the server side(so that a hijacked cookie has a short viability) or a "log me out" button, so that it is up to the user (in an apparent and easy way) to clear that cookie from use (and make it so they have to login the next time around-- of course, every login presents a possible target for interception as well).