From a URL executed Java backed WebScript you can access the HttpServletRequest and HttpServletResponse to get/set Cookies etc. thus:
From within a Surf component WebScript you are more limited in that you are running as part of a full page execution - i.e. you cannot directly write to the response header as part of it may already have been committed - such as Cookies etc. and any number of components previously to yours, so you can only access the HttpServletRequest as that is safe to do so.
public void execute(WebScriptRequest req, WebScriptResponse res) throws IOException
HttpServletRequest httpReq = ((WebScriptServletRequest)req).getHttpServletRequest();
HttpServletResponse httpRes = ((WebScriptServletResponse)res).getHttpServletResponse();