[Security:low] Incorrect cookie domain for non-sso cookies
Affected version
Version: 2.19.0
Summary
Since 2.19.0 (d4e54a98), the all portal specific cookies (llngconnection, lemonldappdata, others?) are scoped to the SSO "domain" instead of being only scoped to the portal
Security impact, if any, should be low, IMO the worse that could happen is leaking the llngconnection cookie to sso-protected apps. But fingerprinting uses TOTP since 2.17, and #3200 (closed) has not been published yet. Still flagging it as a security issue in case I haven't thought of something