Yes, it's not ideal, but it's what the current software supports.
On the other hand, even an encrypted cookie would not stop someone else who's sitting at your machine to use your JR account. If you're on a shared machine, you should delete all cookies (and history etc.) anyway when you're done. Or are you worried about someone snooping the TCP/IP connection, and catching the cookie in transit?