This setup was developed before browsers started remembering your login details. A better practice would be to eliminate the user cookie completely and use the opaque session cookie to get the information. Maybe cache it in an nsv array.
If the OACS system maintains session data, it would be easy to add certain functionality: admin delete of a current session, forcing re-login, and user delete, preventing future use of a session (replay attack). You could also create a temporary read-only system by flushing all session data and disabling the login page. Maybe some of this is already available.
