1) Yes, everyone can create cookies, but not everyone can encrypt the value you want to set. The encryption is done server side with a private key only you, or your code, should have access to.
2) Cookie can be set to be available only during the browser session of until a specific expiration date, so yes that would be a good option.
3) I would not know for all users, but a cookie is a good option. Sites like live.com and google.com just create cookies with a long expiration date. Keep in mind that you should provide a means to let the user decide this (for instance using a checkbox).
Maybe I'm missing some context by why invent the wheel and not just use ASP.NET Forms Authentication. That will do just what U describe in your algorithm.
You can combine it with the Membership Provider Framework or the new ASP.NET Identity Framework.