I've been reading some posts about web performance, one of the points is to
serve static content from a cookie-free domain, my question is:
Can I share cookies between, let's say example.com and www.example.com, while excluding static1.example.com, static2.example.com, etc?
Or do I need to set a different top level domain?
I know (or I think) that I could set the domain of the cookie to '.example.com', but
correct me if I'm wrong this shares the cookies across all sub-domains.
If you need to share cookies across subdomains you need to scope the cookie at the domain level (e.g. .example.com). When you do that the cookie is available to all the subdomains of .example.com.
For a cookie free static content domain, it is usually a separate domain (e.g. example_staticstuff.com). There is a default two connection limit per domain in HTTP 1.1, so having separate domains often helps speed up simultaneous downloads.
You would have to set a cookie for each sub-domain you want to authorize with the full host-name. This creates additional HTTP header overhead and would be a maintenance nightmare :[