What you're describing is the difference between a permanent cookie (has expiration date in the future) and a session cookie (expires when the browser closes ... sometimes). Most browsers (ok - firefox) allow for the inspection of permanent cookies as well as session cookies. Even if they didn't, you should never assume anything sent to a client *cannot* be seen by the client (someone can write their own client).
You're just touching the surface by encrypting the password (even encrypted, how can you prevent man-in-the-middle session hijacking). Check out the W3 FAQ section on Cookie Security ... (but be cautious about using IP address in your scheme since it can change during a session if a user is behind a big proxy server).