Is there any connection to be made between this article and the usage of signed cookies to hold session state? Database-backed sessions hold a state that you know your application set at one point, but a signed cookie, if forged, could have much bigger ramifications. Since no one gets cryptography right, it seems like this would be another instance not to trust it.
