...
Note that the above noncompliant code example stores the user name and password within two cookie objects, which will be sent to the cookie for authentication purposesclient to be stored in a cookie. This particular code example is insecure because an attacker could possibly perform a cross-site scripting attack or sniff packets to find this information. Once the attacker finds this information, they have free reign to log in to the user's account. On the other hand, if the application only stored the user name within the cookie for authentication purposes, an attacker could still use the user name to forge their own cookie and bypass the authentication system.
...