[eluser]Jondolar[/eluser]
Yes, you use the cookie to retrieve the correct record in the DB. You do have some options.
You could hash the key prior to storing it in the db and then hash the cookie after it is returned from the browser. That way if someone gets access to the cookie and the database they won't know which record the cookie is for. You can also encrypt the data you are storing in the database, possibly by storing the data in an array, serializing the array, and then encrypting the string.
If your data is not important (sortby field, search filter, page number, etc), you could store those in the cookie as well and save a trip to the db. You really only need to protect "protectable worthy" data