Re: Cookies are one of the missfeatures of HTTP
The fundamental issue here is the statelessness of http/tcpip. I'm not sure why cookies particularly get the blame for this, any solution that requires the client to hold some state is open to hijacking. Any solution with no client state at all has to treat you like it's your first visit every time you use it. If you log in it has to store a token to keep you authenticated, and whether you pass that as a header or as a cookie it's still effectively the same thing. Cookies are not the problem, statelessness is.
Besides, if all the hacker can do is change a cookie and that compromises the app then the app is being too trusting of it's input.