Good point. But I doubt that a person who is sniffing on the net would get the whole thing. It would take a person being on the same LAN to get the whole cookie with a sniffer. As I was thinking that a way to combat this would be to add the IP address of the computer the cookie is being sent to into the encrypted contents. However something like that would cause a problem with anyone who is using a proxy (like AOL). If I were doing E-Commerce I would most definatly use SSL. Any way of securing a cookie without SSL? Taking an MD5 of the cookie won't do it since the cookie is not changed. Where does being carefull cross over to being overly paranoid?

BMaximus