I'm pretty sure you are aware of this, but to avoid confusion from people reading this later...

You'd have to learn the "secret" string and then reverse a hash function and that would then only get you the hashed password.

If we are really talking about the cookie being a cryptographic hash of something and a hashed password, the phrase reverse the hash describes an extremely hard problem. Reversing any cryptographic hash should be computationally infeasible.