The way cookie headers work is a cookie is set for a domain, example.com, [insert actual data] then it cannot be accessed from cookie.io or subdomain.cookie.com, but if we are setting a cookie in subdomain.example.com it will be sent to example.com
So for example, if there is a cookie session, and subdomain also creates a cookie _sessoion=SOMETHINGRANDOM, then when someone opens example.com this cookie will also be sent and would cause an issue and may cause a logout of the user.
This is called cookie tossing.
- Simple cookie tossing
- Changing the path of setCookie so that it only affects a specific path
- Escaping the cookie set, for example, if we encodeURIComponent the cookie, it may be decrypted at the server and result in the same cookie.
- There is a hard limit on the number of cookies that can be set for a domain, and as per the article, browsers may clear all the cookies if we add in too may cookies and then if we put in the malicious cookie then we can set the BAD cookie value.
Due to the cookie tossing issue, we must validate if we want untrusted people to host JS code on our subdomain.
Read Next: https://en.wikipedia.org/wiki/Clickjacking