There are two tools. The first is you and your brain doing a manual approach while perhaps reviewing the code related to the authentication, to see if you can set any magic cookies.
The other second tool, could be Burp Suite (Free), which can analyse cookies to see if they follow any pattern.
I'd recommend analysing the code if it's possible, as you will be able to spot flaws almost instantly compared to guessing with programs that tries to compute the algorithm used, as this may not be accurate and / or produce any good results.
Imagine you know there's a magic cookie, that grants admin access rights / privileges. This value is: !"dnjc%T5jjfklaj¤%&%¤jnsad#¤#¤%dnxsam%
If you review the code, you will find this within a few minutes. Of course, this approach is only possible with code auditing / review.
The other method is to see if you can bruteforce this value, which may take up way too long time. Often what you do is you grab a lot of cookies from a site, which you've produced yourself via e.g. Burp and then you analyse these. You'll have to choose this alternate method, in case the target uses closed source scripts / programs, that are not available for code review by any means possible.
If you gain a foothold into e.g., a webserver, downloading a copy of the source code in case it is closed source, could also be a good idea as you can analyse it for further vulnerabilities and thereby have several entry points. Just my 2 cents