The problem is not CookieStore itself but the fact that you need to know the caveats if you expect to use it properly. That alone makes it a bad default setting for a framework that favors convention over configuration.