The recommended method of handling user data is not with a Cookie, but with an HttpSession :

• safer than using cookies directly - data related to the user is placed in 'session scope'. Session scope exists on the server, not in the browser, and is a much more secure way of handling sensitive data. In addition, when implementing a session with cookies, the container will always generate cookie values that are difficult to guess, making it difficult for hackers to steal someone else's session.
• higher level of abstraction - each session is implemented using either cookies or URL rewriting, but the details are hidden from the caller.
• independence of browser settings - if the user's browser has cookies disabled, then the session can be implemented using URL rewriting, as a backup, if desired.

• it does not represent a security risk by exposing sensitive user data
• the case of disabled cookies is acceptable in some way