It seems that Apache loads a CGI application, launches it, and then loads HTTP_COOKIE into the environment in that order. If the cookie is read immediately, it will often be wrong -- it will be inherited from the previous user of the application. The workaround is to write the application so that it runs as much unrelated code as possible before it reads the cookie. (Using gnu c++ compiler on ViaVerio VPS3 2000 virtual server product.) To test: Write simple application that reads a cookie and returns a simple HTML page that displays the cookie value. Access the application from two separate browser instances that pass different values for the same cookie on the same or different machines. Run the app. from one browser. Then run the app. on the second browser. Note that the cookie value from the first machine shows up on the second machine, rather than the value actually passed.
HTTP_COOKIE is just an environment variable containing the contents of the Cookie request header. How and what cookies are returned to the browsers is entirely up to the application.