Accept-language is an okish default, but web pages end up needing to provide overrides because users are not always in control of those values, or the user may have preferences that don't fit the scheme. A cookie is a reasonable place to store the override.
Http login is really hard to make user friendly, and has no way to logout in a user friendly way; the user needs to be prompted for a password again and not enter it. An HTML form and cookies just works better.
For languages, yes, overrides could be stored in a cookie, although they could also be stored in the URL (especially for documents intended to be downloaded). It could also support both. The reasons you mention are valid reasons to allow an override. (Still, if cookies are used for this or any other purpose, all cookies and their values should be documented, in case the user wishes to adjust them (or copy them) manually, and/or to understand what they are for.)
Logout (and the duration that the login data is kept) is the responsibility of the user agent. Unfortunately, none that I know of provide the user any control over that.
Http login is really hard to make user friendly, and has no way to logout in a user friendly way; the user needs to be prompted for a password again and not enter it. An HTML form and cookies just works better.