There is a solution to this....
Cookies should always be used in conjunction with a TLS Session ID.
If the session ID doesn't match, then throw away the cookies.
Session ID is designed to be hard to steal - in some clients, it actually uses keys from the TPM to derive the session ID - so even if someone steals the browser cookie jar, there is no way they can recreate the session ID.
Sadly today very few sites check the session ID
