Cookies are supposed to be sent back only to the server that set them, but you are depending on the browser for the determination of where to send them. Some older browsers would let you set a cookie to be sent back to domain '.com.', with the result of sending the cookie back to any .com server it contacted. People rolling their own spider code will frequently copy the Cookie headers from a test request without bothering to find out what they mean, resulting in odd cookies being sent to web servers everywhere. Some anonymizing or sanitizing proxies will replace cookies that are commonly used for tracking browsers with versions that contain random identifiers, so the site will not give them a cookie error, but will also not get any useful information from the cookies they attempt to set. So although it is rare for cookies to actually 'leak', there are all kinds of fringe cases that can result in you getting strange cookies.