Afaik, the cookie 'frontend' set right before sending the current action.
Take a look at Mage_Core_Controller_Varien_Action::preDispatch() .
Session start
Looking at preDispatch() , find the line that starts the session:
Mage::getSingleton('core/session', array('name' => $namespace))->start();
which usually (if not redefined) is finally displayed on
Mage_Core_Model_Session_Abstract_Varien::start()
This is the place where all standard session files are initialized, including cookie settings, using session_set_cookie_params .
Revalidation
Remember that as soon as a cookie already exists, the first cookie manipulation may already occur when the main session receives an instance, i.e. before calling start() . This is because the constructor calls revalidateCookie() when instantiating the main session. Cm:
Mage_Core_Model_Session_Abstract_Varien::init()