Isn't it a widely adopted practice to encrypt the content of the cookie before setting it? Of course it could still be tampered with, but not as trivially.
Frameworks like Rails or Django offer options to encrypt or sign session cookies, but any other cookies are often left up to the developer to take care of. The HttpOnly and Secure flags are important to remember as well because otherwise a man-in-the-middle or rogue JS can modify them.