You shouldn't be sending encrypted cookies. You should use session variables instead. Then you can keep the "secret" data on the server side.

merlyn has a good article on the subject of cookies. Chek out his home page.