Instead of storing the key in the cookie (this seems risky), what about storing the key on the server, and using the cookie (with a globally unique ID) to retrieve the key?