control-spec.txt should say that controllers should check the length of authentication-cookie files