[dgoldstein0]

exactly. It still boggles my mind that browsers don't send up the path and domain of a cookie when sending the name & value with a request.

for anyone interested in the topic, https://www.usenix.org/system/files/conference/usenixsecurit... is a must read