Hashing the account number (and other info) into an identifier in that cookie, then using that as the session ID, and only allowing access to that one account from that port until another session was authenticated on it, would be more proper.
I don't see why you are coupling the session of the user with the account on the client side. The id of the cookie is arbitrary to the extent that it is unique, and the server will have a lookup of what cookie is with what account. It seems as if with the above approach, subsequent programmers could be misled into thinking there is some trust associated with the cookie identifier and enable some reverse lookup backdoor functionality.
!07/11 PDP a ni deppart m'I !pleH