Hello Tanvi,
The problem is that the cookie technology is designed explicitly for The session(browser).
Yes, it is secure if:
a) Cookie is HTTP only. And cookie is set with flag secure
b) SAP EP and 3rd party application is in the same domain.
c) Secure Protocol like HTTPS is used to open SAP WebGUI.
d) Also this scenario is with in the client's intranet.
BUT this is valid only for The session for which the cookie has been issued.
All these requirements are there to make sure that The cookie will stay with This session (browser).
Pulling OUT the cookie from This session(browser) and re-using it for another one is already a security issue because this is relevant to stealing The identity.
You can consider this as a limitation of the cookie technology for your scenario.
Scenario described by you is simply supported by SSL and this is why we recommend SSL client authentication instead.
Best regards,
Donka Dimitrova