HTTP cookies, or how not to design protocols
Michal Zalewski – HTTP cookies, or how not to design protocols:
"There is simply no accurate, offcial account of cookie behavior in modern browsers; the two relevant RFCs, often cited by people arguing on the Internet, are completely out of touch with reality. This forces developers to discover compatible behaviors by trial and error - and makes it an exciting gamble to build security systems around cookies in the first place."