Alexander faults the Netscape Cookie Specification (NCS) and then hopes a new, improved specification will emerge. But what about RFC 2109 (Feb 1997) and RFC 2965 (Oct 2000). These both suggest cookie improvements, with new HTTP headers (
Set-Cookie2), a different way of specifying lifespan (
Max-Age in seconds rather than an absolute date with
Expires) and a protocol by which servers can revoke cookies they'd earlier left with clients.
All in all, this article is pretty helpful. It never hurts to be reminded of security vulnerabilities. But the NCS is 9 years old and has been obsoleted by 2 RFCs since. True, it seems most web applications and browsers still adhere to the NCS. But in 2004 we should be discussing cookies in light of RFC 2965. This article could've existed 7 years ago.