In our practice, password reset tokens and encrypted 
  session cookies continue to be the top source of 
  exploitable crypto vulnerabilities in web applications. 
  You don't need encryption to build either of these 
  features; send 128 bit random numbers that key a database  
  row instead.

That's what I wanted to hear - thank you.