I've done more work with HTTP cookies than I care to admit. My naive assumption when beginning this adventure was that it would suffice to study the relevant RFCs (RFC 2109 and RFC 2965) and implement software compliant to them. It turns out this doesn't work in the world of the cookie. No one respects the RFCs--taking only bits and pieces from them--, and instead everyone generally follows the original Netscape cookie "preliminary" specification, published around 1995 on the netscape.com domain. Incidentally, AOL (which of course since bought Netscape) has very recently made the specification unavailable, which was quite an inconvenience until the curl homepage (below) began hosting a copy and achieved a high enough PageRank.

For a good starting point for learning about the issues, check out these links.

• http://curl.haxx.se/rfc/cookie_spec.html - Old Netscape cookie specification (now mirrored on the curl homepage since AOL removed it)
• http://www.mnot.net/blog/2006/10/27/cookie_fun - Post explaining why the state of affairs really sucks
• http://lists.evolt.org/archive/Week-of-Mon-20041220/167248.html - Not that detailed, but someone basically saying RFC 2965 is largely ignored.

For more fun, cookie RFC author David Kristol wrote a paper regarding the evolution of the RFC called HTTP Cookies: Standards, Privacy, and Politics. His summary:

RFC 2965, HTTP State Management Mechanism, took 5 1/2 years to become a Proposed Standard, and yet the major vendors largely ignore it. Therefore its development would, at first glance, seem to have been a colossal waste of time. This paper has explained why it took so long and presents a case study of how the collaborative IETF process works. The fact that the standard may be largely ignored has more to do with other factors than with its technical merit. Moreover, the surrounding discussions of privacy considerations may, in the long run, prove to have been more important for society and the technical community than the technical issues.