I'm using Perl for this but I'm not sure that matters here, this is raw HTTP.
I have various services which I've built a central login for. The services can be run off-site by third parties and I handle all the handshakes securely, with the central site always maintaining login state with sessions and session cookies.
The problem I'm having is that I want to provide a single login tracker across services in my own domain space, such as service1.example.com, service2.example.com, etc, but the session cookies aren't "sticking" to the subdomains as intended.
From example.com (or www.example.com), I'm setting:
Set-Cookie: SESSION=12345; domain=.example.com; path=/;
Then redirecting to the intended service subdomain.
The cookie is NOT being seen at service1.example.com, service2.example.com, ... Because the browser is not SENDING the cookie to those subdomains.
Everything I've read indicates this should work, but it doesn't and I can't do a multitude of parameter passing between host names as a means to transfer session state, it needs to be done as a cookie shared across subdomains.
This doesn't appear to be a browser issue.
Can anyone shed some light on what may be going on?