Wonderful. The cookie code comes straight from ACS Classic, to be honest I've never paid attention to it except for fixing the problem with "second to last visit" a few months back, a problem that plagued every ACS Classic as well as OpenACS site on the planet due to a most silly programming error on the part of some aD hacker.
I just read the spec you pointed to, and indeed it appears that the cookie should be encoded in order to exclude commas.
On the other hand, only lynx doesn't like it apparently. Or, at least Konqueror, Mozilla, Explorer and Netscape in their bazillion release variants seem to work OK.
The spec you reference looks like the original Netscape cookie spec, so one immediate question comes to mind - is that the spec that's the official spec today, or was it superceded later on? Is it possible the restrictions on commas was removed later?