I want the clients of several related web apps to hold their own authentication state. This improves scalability, because no session replication between cluster nodes is nee
As Pekka said, not a good idea. One can intercept your cookie with sensitive session data. Even with SSL, by using fiddler2 one can decrypt the traffic