There should never be any information stored in a session cookie at all other than the name and session key. Anything else is bad security. Recommending parsing the putative JSON with regex is bad programming. Answering a PHP question with Python handwaving is bad forum participation.