You are openening a file that is named in a cookie. This means that a) The cookie needs to exist and b) it contains the correct file name relative to where your CGI app is running. You really need to do some checking to make sure that both of these requirements are met. This will involve you checking for the existence of the cookie, checking that the file name contained within it can be located and then opening.

You should be aware that taking any value from the user and treating it as a file name is a huge security hole since the user could pass the name of a system file or device etc.