Will, just noticed your query! We run uPortal, and had a scheme in place to encrypt auth cookies for use by certain other in-house web apps. So it seemed easiest to do the same for Moodle. It is working fine for over a year now. Moodle has since added SSO and other auth methods but I think we'll stick with the cookie scheme for now. We had to add the mcrypt library to PHP as we needed blowfish. The cookie encrypts the username and issue-timestamp.