Many sites initially require a username and password to authenticate the user. However, in the future, the cookie is the only token needed. Often these cookies are easily forged or guessed by an interrogative adversary.
New England Bride (www.nebride.com) uses a cookie called ID to verify its users. The value of the cookie is the user's id (in plaintext). Create an ID cookie with your ex-girlfriend's username as the value, set your URL to http://www.nebride.com/pages/neb/sys/asp/changereginfo.asp , and you have instant access to her name, address, phone number, e-mail address, wedding date and place, and password -- interesting how many of these bear a startling resemblance to the groom's name -- that's right, it comes up on the screen in the clear. In addition, if she's using the services provided, you can have access to (and alter) her guest list and the list of support services (caterers, etc.) she's using.
Use authenticators which are not easily predictable or guessable.