Session cookies scoped to parent domain
Description
The application sets one or more session cookies with a domain scope that includes the parent domain rather than being restricted to a specific subdomain. This configuration causes the cookies to be sent to all subdomains under the parent domain, potentially exposing session tokens to unrelated applications or services hosted on sibling subdomains. This overly permissive scope violates the principle of least privilege for cookie access.
Remediation
Configure session cookies to be scoped to the most specific subdomain possible rather than the parent domain. Set the Domain attribute to the exact subdomain where the application runs, or omit the Domain attribute entirely to default to the current host only (excluding subdomains).
Example for setting a properly scoped cookie:
Set-Cookie: SESSIONID=abc123; Domain=app.example.com; Path=/; Secure; HttpOnly; SameSite=Strict
Or omit the Domain attribute to restrict to the exact host:
Set-Cookie: SESSIONID=abc123; Path=/; Secure; HttpOnly; SameSite=Strict
Review all session cookies in your application and ensure they include the
Secure and HttpOnly flags in addition to proper domain scoping. If your application legitimately requires cookie sharing across subdomains, implement additional security controls such as subdomain validation and ensure all subdomains maintain equivalent security standards.