[weavejester]

Usually signing a cookie means adding a HMAC to the end of it so the user can't modify the contents without invalidating it. The example given seems kinda misleading, because including the salt offers some measure of protection against tampering anyway.

[Groxx]

See, that's signing. That has a lot of use, and there are a lot of ways to make that however secure you want. The example doesn't seem to do any of that, though, it's simply storing two user-specific details, one of which the user shouldn't know. Or, at least, one which other users wouldn't know.

Again, that's unless I'm missing something.