Jason,
sites in production orgs are out of the box integrated with a Content Delivery Network to provide global caching and traffic shaping. All unauthenticated pages via HTTP access are cached for 10 minutes if you don't specify otherwise. Caching is controlled via the apex page cache and expires attributes. There is no caching in place if any of the following is true: 

1- if you authenticate site visitors (via portal integration) 

2- if your request is a HTTPS request

3- if you set cache="false" for your page

In your example your page is cached for 10 minutes. So, it's the Page that's cached, not the cookie. 
Your code is reflecting the cookie value back in the page, andthe content of that page gets cached. 

We do not think this is a bug. You can disable the caching for your page for your use case.

The page is generated on the server side. And if the page caching is ON  (change parameter) then we cache the entire page (generated page) based on the URL for the desired duration (expires parameter).

So if you page is cached the generated page is served from cache, request won't even come to the origin and the page gets served from the closest location to the requester's location.

correct. However, this doesn't mean you don't have to use caching if your page is dynamic. You have the full control for the caching duration (in seconds). You need to consider how often your content changes. If it changes every hour then there is no need to query data on every request, your page can be served from 50,000 servers from all around the world from the closest location to your visitors. You need to consider your traffic pattern, nature of the content and site governor limits.

thank you for the feedback about adding more in docs, we'll definitely do that.

I'm still slightly confused.  From the video I saw he managed to get the same cookie data across two computers.  Cache or no cache that doesn't sound right to me.

Why would the cache contain populated data from another users session?

Seems like sessions are bleeding together no?

Shouldn't the cache system automatically disable caching if you're using user specific cookies if this is the case?

-Richard

Richard,

visualforce pages are generated on the server side. If you code your page to use cookie value to generate the content and if you cache your pages then the consecutive request would get the same cached content. You have the full control to disable the cache.

We wouldn't want to disable caching automatically whenever cookie value is used, since there are many different use cases.

Here is one example how you can use cookie support, url rewriter and still want to use caching:

1- visitor changes the site language. Language switcher set the cookie for the selected language

2- url re-writer reads the language cookie value and generates the url accordingly (like www.acme.com/eng/page1 or www.acme.com/jp/page1)

Okay, thanks for the description.  I can see what you mean from the use case you provided.  I definitely agree with Jason that this needs a big red warning.

Thanks.

-Richard