I used to have a site with a login page, which, when the login was valid, gave out a username cookie and an $ENV{UNIQUE_ID} cookie, which was to avoid putting the password in a cookie.

Probably better is to just give out such an $ENV{UNIQUE_ID} cookie, and, at the server-side, to associate them with a userid and a last-active time to expire it (in case people forget to log out on a public computer!). That way, you can look up their cookie in a table and retrieve all relevant information, if the cookie is (still) valid.

Btw, I think I know who you are. Why don't you create a userid here?