Loosely Scoped Cookie

Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Loosely scoped cookies accessible to all subdomains create opportunities for attackers who compromise any subdomain to steal session cookies from the parent domain or other subdomains. If an attacker gains control of a less-secured subdomain (perhaps through subdomain takeover or XSS), they can read sensitive cookies intended for more critical applications. This violates the principle of least privilege and expands the attack surface, potentially enabling session hijacking, privilege escalation, or unauthorized access to user accounts across the domain hierarchy.

Always scope cookies to a FQDN (Fully Qualified Domain Name).