i'm aware that (unencrypted) almost anything in a cookie is a Bad Idea ™, but without rearchitecting this whole application, i'm stuck with encrypted cookies.

encrypted in cookie, decrypted and compared server side.