From a security perspective, this looks like a terrible, terrible idea, or did I miss something here?

@iltar Please describe your worrisome thoughts

See also https://softwareengineering.stackexchange.com/questions/146692/why-do-popular-websites-store-very-complicated-session-related-data-in-cookies why this may work. Cookies are cheap, basically.

also consider encryption and data chunking.

In Symfony the cookie can contain objects (Security, Flashes), which are serialized. Storing php serialized objects on the client-side makes it possible for the client to modify these values and therefor introduce a remote scripting attack!

Unless you use a secure storage format (JSON for example) and make absolutely sure not never store an serialized object it can be safe. No, encryption is possible but unless you use a secure (not mcrypt) system this can still be compromised.

seems like a good case for libsodium then. Note that the NelmioSecurityBundle does offer cooking signing. It did offer encryption, but is deprecating it due to mcrypt being not so good.

Throwing more information on the heap: http://bigornot.blogspot.com/2008/06/securing-cookies-php-implementation.html

Generally people like using cookies for this since you can have stateless authentication without hitting the database. I don't generally think it's a good idea, but wanted to offer bigornot's blog post into the discussion.

Cipher : MCRYPT_RIJNDAEL_256 (Rijndael 256) option name : mcrypt_algorithm (see mcrypt documentation)

You know a blog post is old when they recommend MCRYPT_RIJNDAEL_256, which is not actually Rijndael 256. https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong

Surprise! MCRYPT_RIJNDAEL_256 doesn't mean AES-256.
All variants of AES use a 128-bit block size with varying key lengths (128, 192, or 256). This means that MCRYPT_RIJNDAEL_128 is the only correct choice if you want AES.

Libsodium is the only secure standard (for now), you can also use https://github.com/paragonie/halite/blob/master/src/Cookie.php (GPL licensed, commercial licenses available) for a complete Libsodium usage implementation.

I'm closing here as this doesn't need to be in core. A third party library could provide it.