[theroo]

Also, setting the cookie 'todos' to todolist.id will allow anyone to manipulate the value of that cookie in order to read anyone's cookies.

[po]

With Django 1.4 (or the dev version) it will be possible to cryptographically sign a cookie:

https://docs.djangoproject.com/en/dev/topics/signing/

You can use this to store the session data with the user without having to consult a database and without fear that they will tamper with the id:

https://github.com/ericflo/django-cookie-sessions