They don't have to login from your malicious page, your malicious page plants your fake cookie only. The important part is that your browser sends your cookie, instead of the proper one, because it has a more specific path. When the user logs in, they login on your session.
A fix would probably be checking cookies more carefully, ensuring the value and path components are what they should be. You could also assign a new session id when a user logs in, so there is no chance of a polluted session.
A fix would probably be checking cookies more carefully, ensuring the value and path components are what they should be. You could also assign a new session id when a user logs in, so there is no chance of a polluted session.