could somebody make up a valid cookie without interacting with your server?