Forum Discussion
That dives a bit into the "HTTP State Management" RFCs and how cookies can be used across sites. In short, a cookie is natively host-specific. When a host, by name, sends a cookie to a client, the client should only ever return that cookie to the same host. Further, if a host attempts to send a cookie to a client, perhaps in a redirect, intended for another host, the client should ignore this cookie (for security reasons). The one caveat to this last condition is the "domain" attribute of a Set-Cookie header. A Set-Cookie header with a domain attribute tells the client that it can send that cookie back to any host that matches that domain (but must also be in the same domain as the cookie originator).
So, let's say you have a site: host1.domain.com, and it wants to redirect users to host2.domain.com and send a cookie. The only way to do this is by setting a domain attribute in the Set-Cookie header with the value domain.com.
HTTP::respond 302 Location "someplace-else" "Set-Cookie" "foo=bar;path=/" "Set-Cookie" "test=blah;path=/;domain=domain.com"