Python's cookie handler defaults to including cookies from any parent

domain in a request to a subdomain. This can lead to issues if the same

cookie is present for both domains, as the wrong cookie may end up

winning. This isn't standard cookie behavior in all clients, but it is

in Python, and it's not configurable.
This is a problem in the case where you have a primary server (e.g.,

rb.example.com) and a staging server as a subdomain (e.g.,

staging.rb.example.com).
To address this, we have a new option, COOKIES_STRICT_DOMAIN_MATCH.

When set, this overrides Python's default cookie logic to require an

exact domain match unless the cookie's domain contains a leading .

(which indicates a cookie intended to be used for subdomains).
This is off by default, in case this could impact any deployments out

there, but it can be safely enabled in most cases.

Unit tests pass.
Successfully posted changes to a subdomain exhibiting this problem

once the option was turned on.