Provided the cookie domains (of the page hosting the Flash control and the URL to which you’re posting) match, then yes, the browser cookies get sent with the request by default. As a quick example (working version here), I’ve thrown together a simple ColdFusion page hosting a SWF containing the following code:

<mx:Script>     <![CDATA[          private function btn_click():void         {             var req:URLRequest = new URLRequest('http://test.enunciato.org/test.cfm');             req.method = URLRequestMethod.POST;              var postData:URLVariables = new URLVariables();             postData.userName = 'Joe';             postData.userCoolness = 'very-cool';              req.data = postData;             navigateToURL(req);         }      ]]> </mx:Script>  <mx:Button click='btn_click()' label='Submit' /> 

… and in that page, I set a cookie, called ‘USERID’, with a value of ‘12345’. After clicking Submit, and navigating to another CFM, my server logs reveal the cookie passed through in the request:

POST /test.cfm HTTP/1.1 Mozilla/5.0
ASPSESSIONIDAASRDSRT=INDFAPMDINJLOOAHDELDNKBL;
JSESSIONID=60302395a68e3d3681c2;
USERID=12345
test.enunciato.org 200

If you test it out yourself, you’ll see the postData in there as well.

Make sense?