Cookies should always be kept to the simplest possible data, the 4kb limit that Ohm mentioned is not a Rails limit, it's a web limit and applies to all cookies.
Also remember that cookies can be easily manipulated by the user on there local machine before being sent back to the web server. DON'T TRUST data coming in from the outside world.
Stick with storing simple id's for records and validate the id's on each request. If for example the id is a key for a record that belongs to the logged in user, verify that the logged in user "owns" the record and that the record is not for some other user.
The following is a typical example of a controller method that might be relying on a cookie
@some_order = @current_user.orders.find(session[:some_secure_key])
Then a check to ensure that @some_order contain a record is enough. If no record is found but the id exists in the database you can be pretty sure that the user is messing around with cookies to see if they can hack your site.