2
Here's how I handle user authentication on my non XOOPS sites. When a user logs in, I write an md5 sum of microtime concatenated with a site specific secret string to the database entry for the user and to a cookie. This is guaranteed to be a unique key. When the user comes back, I use that key to look them up. No encrypting of any user info needs to be done so nothing to crack on the workstation. However, like any other cookie, they can be stolen if someone has access to their local machine.
I will be hacking this into XOOPS when version 1 comes out if they haven't already fixed it. All this talk about cookies being a lack of security is over rated. Almost every major site on the internet has an option to auto login users. With all of the other security holes in operating systems, cookies are the least of our problems.
Chris