A number of posts have reported on the death of the cookie, like this one in VentureBeat, but, as Mark Twain famously said, "the reports of my death have been greatly exaggerated".
As the 95 Directive (95/46/EC) Article 6 says, personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes", and "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed".
What the VentureBeat piece is referring to are third-party cookies which have other issues, basically because they are used invisibly. In effect they are used to log people in without their knowledge, or to identify them when they go to other websites.
The relevant part of the Directive here is Article 10 because no information about "the identity of the controller and of his representative, if any" and "purposes of the processing for which the data are intended" is given to the data subject.
In line with this, Article 5(3) of the e-privacy Directive (2009/136/EC) requires that informed prior consent for storage, including use of first-party or third-party cookies and fingerprinting etc., must be given before use if they are not strictly necessary to supply an explicitly requested service.
People should not be logged in without their consent, and, even then, any authentication cookie used should expire no more than a few hours after the last transaction, unless a longer logged-on duration has been explained and agreed to.