All cookies are http-only. Auth & member's sid - ssl only.

sid     # current session id

# planned

cid     # unique client id, for guests (signed?)
auth    # authorization token (expires on server too)
lang    # selected language, for guest, if not default