[eluser]Popcorn[/eluser]
Actually, I retract my previous statement. I totally forgot about the encryption key you have to set within the configuration file. Unless the users hack into your website they would have a very minimal chance of creating a fake session cookie.