Recently used cookies for authentication at a customer site. While I can't submit any code from that particular project. Here is how I addressed the problem.

1. Use an SSL site to encrypt the html form
2. Created a seed string in my local SQL database for doing the encryption/decryption using crypt
3. processed user input, taking password and encrypting it with the seed, compare to that users encrypted database password for a match
4. if the above passed validation, I then took some more info I would need later and created another encrypted string, storing it all as one ugly cookie. I also stored the userid as a cookie, in the clear.
5. every time the user hit the database, I'd take the clear userid cookie, nab the known user info I'd store for that "real" user and encrypted it all over again.
6. if the above ugly string matched the ugly cookie, they continue, else they'd get kicked back to the login screen.

Some of the "extra" data I encrypted was date info, so it also acted as a user timeout. (handled by my program, not using a cookie "expire")

Not sure I've explained it clearly, but this technique worked, and worked fast.

One gotcha is crypt can create some characters that can get hosed sending via the server, so I had some additional escape'ing of non-valid cookie characters.

Since I seemed to have rambled a bit here, and I am pressed for time, feel free to email me for a clearer explantion. wardk@wardk.org