Because HTTP is stateless and session-less, and cookies are a hack to make it stateful. We introduced the notion of a session where we already had one, in the form of TLS sessions.
Note that it would also make APIs much simpler by moving the authentification, authorization and session logic in the certificate, where it actually already is.
> We introduced the notion of a session where we already had one, in the form of TLS sessions.
But that would only apply to HTTPS. An extension to HTTP itself was necessary so state could be maintained for both HTTP and HTTPS. Especially in the mid-1990s (the era when cookies and HTTPS were introduced) when acquiring a CA-signed certificate was cumbersome and expensive.
That is true, but I'm one of those guys who believe HTTP-only should die.
Even without going as far as that, I believe that as soon as you have to manage some kind of session you're going to have private data flying around, and that should be protected in TLS.
Note that it would also make APIs much simpler by moving the authentification, authorization and session logic in the certificate, where it actually already is.