Let's assume I have my website on different domains, for example: - sub1.domain.com - sub2.domain.com - domain.com
So, how can I restrict my cookies for sub2.domain.com, but at the same time allow it for sub1.domain.com and domain.com?
The 2 domains domain.com and sub1.domain.com can only share cookies if the domain is explicitly named in the Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host. (Referred to as a "host-only cookie")
If you sent the following header from sub1.domain.com, then the cookie won't be sent for requests to domain.com:
Set-Cookie: name=value
However if you use the following, it will be usable on both domains:
Set-Cookie: name=value; domain=domain.com