The cookie should always be minimal and arbitrary. If you want to fingerprint the device and have confidence in that correctness it's something you should store on the server (or at least store a hash of on the server).
Anything that is on a client device can be manipulated without your awareness.
Anything that is on a client device can be manipulated without your awareness.