Cookies are just a way to store session-id. I'd understand if the author wanted to define a special session-tracking API (in essence, adding state to HTTP) with protection against cross-site scripting, etc.
But this crap? No way.
How can I use OpenID with digest authentication? How do I use GSSAPI (Kerberos or SMKP)?
Use single responsibility principle and split the spec into session-tracking stuff and use digest authentication as one way to provide session identifiers.