The header information with a cookie can look something like the following:
Set-Cookie: user_id:dajohn13; domain=.somedomain.com; path=/cgi-bin;
expires=Sat, 01-Apr-2003 11:30:00 GMT; secure
That is sent as plain text, which is not secure. Whatever values you set for the cookie can then be sniffed, so sensitive information shouldn't be passed this way.