|
|
|
|
|
|
by jefftk
2400 days ago
|
|
|
Sites generally set Domain= on their cookies, and so include subdomains. For example, if you click "sign in" on apple.com it brings you to secure2.store.apple.com and after entering your password it sets a cookie with "Path=/; Domain=apple.com; Secure; HttpOnly". You're right that this does reduce security on some sites: if domain.example doesn't set Domain= on their cookies then ads.domain.example (CNAMED to js.ads.example) won't see the cookies but domain.example/ads would. This is pretty rare, though, because sites you log into generally do need their cookies to work across subdomains. Except this problem is easier to handle with reverse proxies than with subdomains: with subdomains the cookies are sent whether you want to or not, while with a reverse proxy the site owner can configure it to strip cookies. |
|
|