Wouldn't a relatively simple fix for this be to detect this at the front end, and serve a static page with JavaScript that clears all of their cookies and then redirects back?
If I understand this correctly, that would be after the client has sent umpteen MB or GB of cookie data to you, and you've hopefully detected what's going on and are just routing the request to /dev/null by this time. If, after that, the sending of the request hasn't caused a timeout, sure, we can send some JS to delete cookies.