[jpoesen]

Great news! But please run it on your main domain, as something like social.washingtonpost.com rather than washingtonpost.social.

Running the instance under your own well-known domain equals instant verification and trust, whereas anyone can set up a .social.

[zenexer]

On the other hand, you end up leaking cookies between the two subdomains when you take this approach. If one site gets hacked, so does the other. It’s better to use two separate domains and begin establishing trust for the new domain.

[infotogivenm]

Only if you don’t pin your cookies to the subdomain and/or are not using HTTPOnly. Even if you screw that up, cookie tossing in general is a rather low risk item; I don’t think its accurate at all to say “if one site gets hacked so does the other.”