As fokat notes, anyone who gets their hands on the cookie, encrypted or not, can defeat your scheme.

You can mitigate the risk by timing out the cookie. You're already embedding a timestamp, though the timestamp would be easier to check if you embedded a raw time() value, rather than splitting it via localtime().

For real security, though, you should be doing this over https: