It may be better to use sessions, or something that simulates sessions. With sessions, the attacker has to get the session key, which would often be a MD5 or SHA1 hash, and so would be difficult (aside from 'social engineering' and carelessness). Another (but potentially slow) way would be to store the user id and some hashed key that changes on each page load, and then validate the user on each page load.
also, cookies can be very safe for this type of thing. You just need to store the info in a hash of some kind, something unreadable. That way they can't just change a 0 to a 1 and get access, know what I mean?