I'm actually not sure this is true. This is what I imagine could be done by an attacker that can read the wire between the server and client:
- Intercept and extract a cookie from a privileged session.
- DOS the genuine client.
- Spoof that client's IP and present the ill-gotten cookie to the server.
Step 1 is made harder by encrypting communication. Step 3 could be made easier through understanding of the particular application semantics.
Another possibility is rifling through the browser cache of a (for example) stolen laptop, looking for interesting cookies. Limiting the lifetime of cookies helps protect against that.