The domain property of a cookie defines which domains may access the cookie. Browsers will automatically include the cookie in requests to in-scope domains, and those domains will be able to access the cookie through JavaScript as well. If a cookie is scoped to a parent domain, it is available to the parent domain as well as any additional subdomains of the parent domain. If the cookie contains sensitive data (such as a session token), this data may be accessed by less trustworthy or less secure apps running on those domains, resulting in a security breach.
Remediation
Cookies are normally scoped to the originating domain and, on IE/Edge, to subdomains. If you omit the explicit domain property from your Set-cookie directive, the cookie will have this default scope, which is safe and suitable in most cases. If you require a cookie to be accessible by a parent domain, in particular, you should thoroughly assess the security of the apps that reside on that domain and its subdomains, and ensure that you are ready to trust the people and systems that support those applications.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.