Wt

Wt should take a look at supporting the __Host and __Secure cookie prefixes. While they are similar to setting the Domain, and Secure fields respectively, they offer slightly more protection.
This addresses some concerns of RFC-6265.

• Host: this is similar to setting Domain, but not completely identical. Only an empty Domain will exhibit the same behavior as the __Host prefix. The differentiating part is the way subdomains are handled.
  In the case of Domain, subdomains are able to overwrite cookies with the same name. In case a subdomain is compromised, this can also compromise the other domains.
  The __Host prefix does NOT allow this. This binds the cookie to the specific subdomain, and does not allow manipulation from other subdomains or the main domain.

• Secure: this is similar to setting Secure, but not completely identical. In case Secure is set, only an HTTPS connection is able to set the cookie. However, in case a subdomain was compromised,
  they can set a cookie in HTTP without this flag. The cookie can then still be sent to an HTTPS connection on a subdomain of the same domain. Or, the cookie can be overwritten by an insecure subdomain.
  The __Secure prefix does NOT allow this. If this prefix is found, Secure is enforced. So no insecure channel can write to a secure channel's cookies.