[Groxx]

I feel like I'm not understanding something. How is this "signed"? It appears they're just storing the user's salt in their cookie... in which case you might as well store any other random info, it doesn't mean it's "signed", it just prevents people from changing their cookie's user_id and logging in as someone else. Didn't they already have something like that in place?

[weavejester]

Usually signing a cookie means adding a HMAC to the end of it so the user can't modify the contents without invalidating it. The example given seems kinda misleading, because including the salt offers some measure of protection against tampering anyway.

[Groxx]

See, that's signing. That has a lot of use, and there are a lot of ways to make that however secure you want. The example doesn't seem to do any of that, though, it's simply storing two user-specific details, one of which the user shouldn't know. Or, at least, one which other users wouldn't know.

Again, that's unless I'm missing something.