Any cookie belongs to a particular server (domain name) - the most general that
a domain spec is allowed to be is *.foo.com i.e. with a specified TLD and second
level domain. The path can be anything, i.e. as general as "/" The browser will
send back all cookies which match, most specific first.
The domain constraint was designed as a privacy measure to prevent snarfing of
cookie information that came from one site by other sites, and to stop people
from tracking user behaviour across multiple unrelated sites; the latter of
course was famously sidestepped by DoubleClick and all the ad banner guys by
having an image on all participating sites fetched from their own server :-)
Modern browsers are now starting to appear which have controls to inhibit the
DoubleClick trick, e.g. only accepting cookies from the server that the main
page came from.
