Not personally got much experience with cookies unless it’s using cURL in PHP to set them for another site. How difficult would it be to chuck a message at the front of the cookie value that says “WARNING: THIS CAN BE USED TO ACCESS YOUR ACCOUNT” and then just remove it when in use?