[jjnoakes]

According to my understanding, RFC 6265, and MDN, removing the leading dot from the cookie's domain shouldn't have changed whether or not it was sent to subdomains (it should have been sent in either case). What am I missing?

Edit: Maybe I'm misreading. I thought the domain was changed from "breakthroughjuniorchallenge.org" to ".breakthroughjuniorchallenge.org" but maybe it was changed from nothing (which might display as "breakthroughjuniorchallenge.org" in browser debug tools but really is a host-without-subdomains cookie) to ".breakthroughjuniorchallenge.org", which should be the same as changing it from nothing to "breakthroughjuniorchallenge.org" too, I think.

[svieira]

I think there is a bit left out - I expect that the cookie was restricted in some other way. Either the logged in experience was on a different sub-domain (e. g. `app.breakthroughjuniorchallenge.org`) or the cookie was restricted to a sub-path (e. g. `Path=/app`). In either case, changing the scope of the cookie would make it available where it wasn't before.

[varun_ch]

I think you’re right, it was probably the changing from nothing.