could somebody make up a valid cookie without properly authenticating?