Client side sessions

Question

I want the clients of several related web apps to hold their own authentication state. This improves scalability, because no session replication between cluster nodes is nee

Answer 1

As Pekka said, not a good idea. One can intercept your cookie with sensitive session data. Even with SSL, by using fiddler2 one can decrypt the traffic