What saskaqueer is getting at is that it is easy for someone familiar with HTTP and CGI to tell your CGI that they are logged in. We even see shopping cart tools on sites that pass the item's price from page to page like that. This way of doing things actually happens rather often and you can see why it's a problem.

The general solution to this problem is to only store a reasonably hard to predict number in the cookie. When the cookie comes in with a request your code has to lookup that number in a database or a file (often named something like "/tmp/session_" . $number ). Then the database or file contains the actual information like the login name, etc.

I recommend reading How to remember who is logged in... before building too much more of your system.