Persistent cookies (i.e. those that appear as files on the client's machine) are a different matter. These are nothing to do with the HTTPSession. You would use these to track more long term data. For example, if you come accross a site that has a "remember me" option that pre-fills the username field of the login screen (as for example Amazon does) this is probably implemented using a cookie. You should not store any data in this sort of cookie that is in any way sensitive.
If it were me, I'd argue with whoever set the requirements to change them. You can set anything you like in a cookie within reason. It whether you should that is the issue.
If their driver is that they don't want people to have to enter security credentials to access a secure resource, I'd point them at "pass through" authentication instead. [ September 11, 2008: Message edited by: Paul Sturrock ]