If I copy a cookie from someone's browser (small amount of handwaving here on how I get it in the first place) then it doesn't really matter how I encode it unless I am using some sort of Diffie-Hellman pair. I'd still be stealing someone's identity.

Unless there is some sort of challenge/response happening where the user has to perform some active function such as type in a password, use a smart card, or whatever using a client side cookie is just asking for trouble.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peter L. Berghold --- Peter@Berghold.Net
"Those who fail to learn from history are condemned to repeat it."