Anyone can set a BlockID cookie. This allows a user to discover revdeleted users, by trying different blockids, until they hit upon one that works, but isn't public.
We should include a MAC with the cookie value. (e.g. the cookie is $blockId . '!' . hash_hmac( 'sha256', $blockId, $wgSecretKey ); Before using the value, the hmac is verified to prevent spoofing)