Putting plaintext passwords in a cookie doesn't sound anything like incrementing an integer in a URL.