Cookies are subject to man-in-the-middle attacks, particularly if you use them in non encrypted communication. CGI::Session uses cookies to keep state between the server and client. The attack isn't easy to do, so it shouldn't be a concern for a low-value target. If you have a high-value target you should be using SSL and keeping the cookie lifetimes short.
I'm actually not sure this is true. This is what I imagine could be done by an attacker that can read the wire between the server and client:
- Intercept and extract a cookie from a privileged session.
- DOS the genuine client.
- Spoof that client's IP and present the ill-gotten cookie to the server.
Step 1 is made harder by encrypting communication. Step 3 could be made easier through understanding of the particular application semantics.
Another possibility is rifling through the browser cache of a (for example) stolen laptop, looking for interesting cookies. Limiting the lifetime of cookies helps protect against that.