As has been pointed out, any sane web browser only sends cookies for the appropriate domain. This is a measure to protect the user's privacy.

However, there is no protection for the server from seeing fake data. Just like query parameters (or anything else in the HTTP request) a mischievous user can send whatever he wants to your CGI. NEVER trust anything you get from a remote user.

A session cookie should therefore either only contain a random number that maps to something in your database, or be cryptographically signed (for example with a keyed hash function). Relying on a userid or nickname sent via cookie is asking for abuse.