Well, here is an example. Let me work through a very bad scenario. Someone got a secret cookie signing application. This way, these bad people will be able to store the data they want in a cookie. If you identify users by id in a cookie, they will be able to log in as any user in the system. How? Well, most applications use an integer starting at 0 for identifiers, right? It will be quite easy to find, for example, a user administrator with identifier 1. What if you will identify users by session? Sessions (like cookies) usually end. Even more - it will be rather annoying to guess the identifier of the session of the administrator or someone else (and even impossible if these users do not have a session at all). I'm not saying that you are completely safeif someone stole your application and you only store the session identifier in cookies. But it is definitely better to store the user ID in the session, rather than store it in a cookie.