Site with custom domain sets cookies in a way that they are sent also with request on sub-domains of the custom domain
Description
Cookies used on sites should be set to be sent only for requests exactly matching the domain, and never be sent with requests on sub-domains of that domain.
Steps to reproduce
Create a site with a subdomain in the format sub1.example.com
Create another site with a subdomain in the format sub2.sub1.example.com
Enable token authentication on both sites
Navigate to sub1.example.com and enter valid token
Within the same browsing session, navigate to sub2.sub1.example.com
Expected result
Navigating to sub2.sub1.example.com lands the user on the token login page where they are asked to enter a valid token
Actual result
Navigating to sub2.sub1.example.com lands the user on a token invalid error page. This is because the token cookie of the other site with the parent domain is used.
Cookies used on sites should be set to be sent only for requests exactly matching the domain, and never be sent with requests on sub-domains of that domain.
Steps to reproduce
Create a site with a subdomain in the format sub1.example.com
Create another site with a subdomain in the format sub2.sub1.example.com
Enable token authentication on both sites
Navigate to sub1.example.com and enter valid token
Within the same browsing session, navigate to sub2.sub1.example.com
Expected result
Navigating to sub2.sub1.example.com lands the user on the token login page where they are asked to enter a valid token
Actual result
Navigating to sub2.sub1.example.com lands the user on a token invalid error page. This is because the token cookie of the other site with the parent domain is used.