Ok I will look into it. I do also hash the user agent, I really didn't want anything in the cookie viewable but some information would be obvious. A user can easily find any users username and most of the time, their user id. I wasn't sure about the password but I don't think anyone could ever decrypt it since it's salted and ran through sha1. I will try to find a way around using the password in the cookie. Thanks.