http - Can subdomain.example.com set a cookie that can be read by example.com? - Server Fault
Tags: http, request, server, cookie, subdomain
"(...) Quoting from the same RFC2109 you read:
* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
So subdomain.example.com can set a cookie for .example.com. So far so good.
The following rules apply to choosing applicable cookie-values from
among all the cookies the user agent has.
The origin server's fully-qualified host name must domain-match
the Domain attribute of the cookie
So do we have a domain-match?
* A is a FQDN string and has the form NB, where N is a non-empty name
string, B has the form .B', and B' is a FQDN string. (So, x.y.com
domain-matches .y.com but not y.com.) (...)"