You can write a "random" string to the cookie, and create in the database a table that links this "random" value to the user ID. You can also "lock" this random value to a specific IP address, user agent ,etc :) []'s