why doesn't cfcookie allow setting domain= to a subdomain for CFID/CFTOKEN?

<cfcookie name="CFID" value="#session.cfid#" domain=".demo.labs.dev">

yields:

Set-Cookie: CFID=4215; Domain=.labs.dev; Expires=Sat, 04-Jul-2043 01:43:49 GMT; Path=/; HttpOnly

But if I use <cfheader> directly:

<cfheader name="Set-Cookie"
      value="CFID=4212; Domain=.demo.labs.dev; Expires=Sat, 04-Jul-2043 01:37:03 GMT; Path=/; HttpOnly">

yields:

Set-Cookie: CFID=4212; Domain=.demo.labs.dev; Expires=Sat, 04-Jul-2043 01:37:03 GMT; Path=/; HttpOnly

And that's really what I want.

Why does <cfcookie> behave this way? Current workaround would be using <cfheader> instead.

Solution

Apparently it is now fixed...

https://bugbase.adobe.com/index.cfm?event=bug&id=3593673

httpOnly cookie with React NodeJS not sending cookie to server by applying the network IP address
3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
How do I use window.fetch() with httpOnly cookies or basic auth
Graphql Set-Cookie being sent but not being set
How to Delete a Cookie in a Next.js 14 Middleware After External API Validation
Protect the app from bypassing the root detection (Frida Server)
Refresh token coming from Nest.js as cookie does not get persisted after refresh
Where to store the refresh token on the Client?
Next.js 15: Error setting cookies in server action
Setting cookie from java spring boot rest API to angular
Correct way to delete cookies server-side
Browser ignoring Set-Cookie
How to Properly Set Up Auth Middleware in Nuxt 3 with Node.js Backend?
How do I store a cookie recording if a user clicked a button, using JavaScript?
Can using access token alone prevent CSRF attack, since browser prevents accessing cookies of another site?
How does Double Submit Cookie Pattern Prevent against CSRF attacks?
Curl cookie authentication
Set-Cookies Header not setting the cookie
Why CSRF token should be in meta tag and in cookie?
I can't receive `httponly` cookie on `localhost` HTTPS back end
How to get cookie value in expressjs
Cookie with Max-Age = 0 and Expire = session survived after HTTP redirect?
Sending custom cookies (and viewing the ones set naturally) with Perl's WWW::Mechanize
Cookies headers are present but Cookies are not stored in browser
Django HTTP response always sets `sessionid` cookie and session data do not persist
How to delete a cookie in FastHTML?
How to disable cookies in Django manually
How to delete cookie with Django in Docker?
Unable to set/get/delete cookies in Next.js 15 route handlers using the Cookies API?
How to bypass SameSite cookie restriction in Microsoft Edge during local development (HTTP) so browser can accept cookie send from backend