I see this behaviour too, using Lynx to browse openacs.org and
www.arsdigita.com. So as far as I can see, it is not you doing
something wrong. You appear to me to have found a genuine
bug.
Encoding the cookie values seems a good solution to me, though you'd
have to allow for "converting" old non-encoded cookies too, unless you
wish to break all current stored cookies!
Cookies are set in only 17 or so .tcl files within OpenACS 3.2.4.
Hand hacking these places to use ns_urlencode would be pretty
straightforward from a quick scan of the relevant code (do something
like
grep -ri Set-Cookie *
at the top of your ACS tree to find them).
Finding the places where cookies are searched for in the headers
(to attempt decoding in each place) is marginally more interesting,
but I suspect that something like
egrep -ri "ns_set get .*Cookie" *
will find them, and again there are not too many places to
hack in a call to ns_urldecode.
