I noticed some issues with cookie handling that I fixed in one of my installations because I didn't like the way session cookies were set.
A possibility is that the person surfed to www.domain.com, and then was logged in to domain.com. Since OpenACS 5 doesn't set the cookie domain, I would assume that OpenACS 4.6 doesn't either.
Alternatively, if you've done something like https://secure.domain.com and they came from http://www.domain.com, you would not be able to read the cookie that was set.
Setting the cookie domain will break using subdomains if you want to maintain separate logins, i.e. http://sitea.domain.com and http://siteb.domain.com would not work properly. But, if all of the hostnames you have serve the same content, you could just set the domain parameter in the cookie, and access http://domain.com, http://www.domain.com, https://secure.domain.com without having to log in each time.
