I completely agree. Where I work I found out that many users were copying the cookies, and renaming them, from a users workstation who had access to a particular in-house web site. They were having trouble logging in to the web page so they just raided the cookie jar. Turned out none of them had ever requested access. Cost money and patience to call the help desk and request an ID/password! Thinking cookies are good security practice is like thinking your cookie jar is safe from your kids. They'll always get into them.