Need to know if web2py is setting cookies properly for this specific case

[Lisandro]

I have two applications that share the same model. 

One of the applications runs on top level domain, and the other runs in a subdomain:

test.com: applications/test

admin.test.com: applications/test_admin

The user logs in from admin.test.com and the cookie needs to be valid also for test.com (so the user is logged in in both applications).

I use this custom code to login the user:

def login():
    email = request.post_vars.email
    password = request.post_vars.password
    user = auth.login_bare(email, password)
    if user:
        session.auth.expiration = auth.settings.expiration
        return response.json({'success': True})

Additionally, in order to make the session valid for the top level domain also, I've added this to models/db.py (remember it is the same model for both applications):

sessiondb = RedisSession(redis_conn=redis_conn, session_expiry=36000)
session.connect(request, response, db=sessiondb, masterapp='test')
if response.session_id_name in response.cookies:
    response.cookies[response.session_id_name]['domain'] = 'test.com'

This approach has been working smoothly for long time, and it still does. However, it doesn't work properly on several versions of Safari. In those cases, the login is done properly, but then it would seem that the browser can't read the cookie. So the user logs in, it is redirected to the main domain, but when he wants to go to the admin application, he is asked to login again. 

I've always thought that the problem is within Safari.

But recently I used the Chrome Inspector to inspect cookies and I've noticed some weird stuff going on with cookies:

Accessing test.com (being logged) shows these four cookies:

Name=session_id_test

Value="154:1ad89acc-1f33-4c9a-805e-6888dcf227d3"

Domain=admin.test.com

Name=session_id_test

Value="154:aab759f5-4738-42e3-978f-05ba4e60c5a4"

Domain=.test.com

Name=session_id_test

Value="153:34738cd8-e451-4f66-a059-3afd0a805afe"

Domain=test.com

Name=session_id_test_admin

Value=127.0.0.1-0ab04b23-f8df-406c-988e-977b6d78b3f7

Domain=admin.test.com

Accessing admin.test.com (being logged) shows these four cookies:

Name=session_id_test

Value="154:1ad89acc-1f33-4c9a-805e-6888dcf227d3"

Domain=admin.test.com

Name=session_id_test

Value="154:aab759f5-4738-42e3-978f-05ba4e60c5a4"

Domain=.test.com

Name=session_id_test

Value="153:34738cd8-e451-4f66-a059-3afd0a805afe"

Domain=test.com

Name=session_id_test_admin

Value=127.0.0.1-af3d5aaa-3388-4bf5-8c65-69693f7eed35

Domain=admin.test.com

I'm not sure if there should be that many cookies.

I think that these lines from models/db.py could be making that mess:

if response.session_id_name in response.cookies:
    response.cookies[response.session_id_name]['domain'] = 'test.com'

However, I can confirm that this code is running smoothly on major versions of Chrome, Firefox, etc. 

It doesn't work only on Safari (actually, it works on a few versions of Safari).

What do you think?

If my approach isn't right, what should I add to models/db.py to share the session for both applications?