[thelist] Can cookies be faked?

[John.Brooking at NA.SAPPI.COM]

Sorry if this is a dumb question. I can't seem to refine my Google search
appropriately to answer it. At least it should be a simple one for many of
you.

If I want to set a cookie to indicate that someone has a certain authority,
I'm thinking it's not a good idea for pages to then check for that cookie in
client-side JavaScript, where someone could just look at the page source to
discover the expected name and value of the cookie. I suspect it is almost
trivial, for someone who knows how, to give themselves such a cookie by
editing their client's cookie jar directly. Am I right?

- John

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.