1) HttpCookie.domainMatches(String domain, String host) seems broken.
  Specifically it returns 'false' when domain is ".yahoo.com" and host is "cm.my.yahoo.com"
  The error is in the following code:

       else if (lengthDiff > 0) {
           // need to check H & D component
           String H = host.substring(0, lengthDiff);
           String D = host.substring(lengthDiff);

           return (H.indexOf('.') == -1 && D.equalsIgnoreCase(domain));
       }

 In here lengthDiff is the length difference between host and domain. So H becomes "cm.my" and D becomes ".yahoo.com" which is OK.
 Except for the following line where it specifically test for an absence of '.' in H, which is wrong.

2) InMemoryCookieStore uses the full URI as a search index , including the scheme. So cookies don't cross over from http://foo.com to https://foo.com and vice versa. It also uses the port number. Both are in contradiction with the RFC.

3) CookieManager/InMemoryCookieStore don't take into account the "Secure" tag of cookies. When a cookie is tagged "Secure" it should only be sent if the scheme is https. Right now, this is ignored when returning cookies.
Posted Date : 2007-12-21 13:16:50.0

4) The "expires" field is parsed a bit too strictly. It expects the date to be in the "EEE, dd-MMM-yyyy HH:mm:ss GMT", therefore rejects cookies set with a slightly different format (e.g. from Yahoo:  'FPS=ds;expires=Wed, 19 Aug 2015 16:00:00 GMT;path=/;domain=www.yahoo.com', notice the absence of '-').
Posted Date : 2008-02-08 12:53:46.0

5) The CookieManager doesn't attribute a default path to the cookies. When no 'path' is explicitely specified, specs say the path should be the directory of the document. E.G. for a cookie whose doc URI is 'http://www.foo.bar/dir/page/doc.html' the default path should be '/dir/page'.
Posted Date : 2008-04-07 14:10:17.0

6) If CookieManager.get() is called with an URI that does not contain a path, e.g "http://www.sun.com" instead of "http://www.sun.com/", it does not return any cookies, even if CookieManager contains cookies for the URI.

The relevant code is:

    /*
     * path-matches algorithm, as defined by RFC 2965
     */
    private boolean pathMatches(String path, String pathToMatchWith) {
        if (path == pathToMatchWith)
            return true;
        if (path == null || pathToMatchWith == null)
            return false;
        if (path.startsWith(pathToMatchWith))
            return true;

        return false;
    }

That needs to cater for the case where path is the empty string.
Posted Date : 2008-04-08 13:43:42.0

7) the 'Port' optional attribute is not enforced by the CookieManager. It should be checked before sending cookies with a HTTP request. See RFC 2965 sections 3.2.2, 3.3.1 and 3.3.2.
Posted Date : 2008-04-10 13:33:03.0

N/A

See Description.
Will fix in JDK7 as soon as possible.
Posted Date : 2007-12-21 13:26:44.0

Note that the first issue is actually related to whether the cookie conforms to Netscape draft specs or to RFC 2965. So, it depends on the version of the HttpCookie.
Posted Date : 2008-04-17 09:14:39.0

I found the same problems:
CookieManager / HttpCookie.parse() 
There is one not listed above.
If there is no domain in cookie string. The parser will not take the host of url as domain. Now, it's ok, but when we call the CookieManager.get, it will check the host~=domain. Then the checking return false....
Bad news...
yegong1985@gmail.com

One more.

InMemoryCookieStore.get(URI uri) and InMemoryCookieStore.getCookies() always return a List<HttpCookie> which consist of only one HttpCookie - the last one received. All the others are not returned.