right off the bat i'd like to say i'd NEVER put a parameter in a cookie called "password". if that gets intercepted, you've made it all to easy (encrypted or not) for someone to get ahold of a users password.