Never trust the client
Companies website was defaced over the weekend, their login system was all custom made so we looked into how it worked.. some pseudocode:
$userId = login($username, $password);
if($userId != 0) // login success
cookie_set('userId', $userId);
// later on in other pages
if(!cookie_isSet('userId'))
die('You must be logged in');
$userId = cookie('userId');
I guess the developers never knew about PHP sessions and thought they could trust the users cookies, it was pretty clear at this point how they were defaced so easily.