The issue: Cookies can easily be modified by users. Do not store important information in cookies Can be faked very easily by automated scripts. The solution: Use ext/session to store user data. If available, a session ID will be stored in a cookie automatically. Data will be stored on the servers filesystem or database. Hint: Never store passwords as clear text or too simple md5 hash. ]]>