We have a single sign on implementation for a family of websites where the authentication cookie comes from the root domain (e.g. bar.com), allowing them to be logged into a child domain (e.g. foo.bar.com). The implementation is in C# using standard .net forms authentication.
Unfortunately, some of our users are having their authentication cookies deleted by anti spyware software. I've been able to recreate this situation by using PC Tools Anti Spyware and IE8.
The practical upshot is that users log into the site, navigate to another page, and then get asked to log in again.
The cookie is flagged as a low risk tracking cookie by the anti spyware software.
Is there any way to make the cookie more palatable to the apparently rather picky tastes of our user's anti spyware software?
Update:
I've looked into the leading "." issue and it's a red herring. IE Doesn't care and, as I found out via this post, the RFC 2965 Specification requires that implementors supply a leading dot.
Further reading led me to the article "Privacy alert: Cookie variants can be used to skirt blockers, anti-spyware tools". Essentially, many websites are using subdomains as a way hide tracking cookies.
It looks like some anti-spyware software will respect P3P (Platform for Privacy Preferences) declarations on the parent domain. Unfortunately, due to lack of support from browser implementors, work has been suspended on P3P.
At this stage I think the solution to the problem will be as one user suggested: the subdomain will need to create its own authentication cookie.