Never use the cookie to round trip:

  • the int/guid id to a database record.
  • Role names or identifiers
  • identity characteristics
  • preferences

Make the contents of a cookie small. Very small. An int or a guid is ok.

note: a cookie that is expired is not sent back to the server.