BvBasically a cookie is a really long "password" which you send to the server and the server looks it up, finds you and sends you a response of some sorts. That's how all "keep me logged in" things work in web browsers.
To address the rest of the thread / any other information:
The only way around this is to never login or touch a page ever. You HAVE to login in order for this type of attack to happen. Another thing, usually OAuth2 will tell you exactly what type of permissions the developer has when accessing your account. Discord does this very well, telling you "This will allow the access of your identification, guilds and email" for example.
Here's an example of OAuth2 "Login through Discord" with Mee6:
Here's an example of OAuth2 "Login through Steam" with demos.tf (api.demos.tf in this case):
Cookies aren't the only way a web browser has access to certain key/value pairs. There's also local storage, session storage, and of course a database. Peeking at cookies will not tell you certainly what or where your data went / has gone, but the only trust you have is in the domain you're accessing and the people behind it. Do not assume that just because there's a cookie that you're being hacked either. Cookies, local storage, and session storage all have their pros and cons to web development, and it's entirely up to the developer on how to use these APIs responsibly.
In addition to any of this, it's very easy to spoof a login website. If you're running chrome and save your steam username/password so you can just click on your account and login and you don't see that when you're trying to access a login page then you're most likely on a spoof site. Look below on details on how to exactly spot one if you're not sure. Again, if you do not trust the website or it's not properly established, then do not risk anything.
If you log in and you do not see a green padlock (or just a padlock) left of the URL on the top of your screen when on the Steam page to signin, you are getting spoofed. Proof read your URLs before logging in.
Here's a picture of what that would look like:
That padlock ensures that all your traffic is encrypted (at least between the browser and the server). However, just because this is secure does not mean it's the real Steam server...
Beyond the padlock:
Clicking that "green" (or white) padlock will bring up connection details on Chrome. You can check who certified that certificate, and for steam, this will always be on behalf of the company (Valve Corp [US]). Company certs are always going to be from the company, as they're expensive and only given to real legal entities.
Hope this answers some questions about how logging in may give details about your profile, as told by a web developer. I do not know everything certainly, but I think I have worked long enough to at least tell people what to look for if you're skeptical.
Just please, don't click links that you've never heard of or "test" the website. You will always certainly not be the first person to fall victim.