Yep but the data in the cookie was provided by the server, which had to already auth you via some means. Like a password, or a client side SSL cert.