A cookie is susceptible to both xss and CSRF. You ought to be protecting against xss anyway.