[walden42]

Leaking cookies to subdomains IS a problem, but it shouldn't be too big of a deal security-wise if they are encrypted (as they usually are).

[staunch]

No, it's always a security problem. http://en.wikipedia.org/wiki/Session_hijacking

[tdammers]

Assuming you're referring to the "SECURE" flag; this flag merely instructs the browser to only send the cookie over HTTPS (never plain HTTP), but the browser will merrily send it to any server that matches the cookie domain, and the way HTTPS works, this means whoever receives the cookie will be legitimately able to decrypt it.