I want to identify browsers, servers, or implementations that are immune from related domain cookie attacks (e.g. a.example.com vs b.example.com).
That is simple: there are none. It's a basic part of the design of cookies that a.example.com gets to write cookies scoped to example.com, that will be picked up by b.example.com.
There are browser differences in what cookies ‘wins’ when the same name is defined at multiple levels, and there is a difference in IE vs the other browsers in that IE will scope a cookie set at a.example.com to *.a.example.com if it has no domain
, whereas other browsers scope it to only the exact domain.
Lacking any tangible solution, could this mitigated by software that tracks and verifies each cookie's "type" and persists that.
Not directly. There is no way to read the domain/path/etc options from a cookie.
All you can do is attempt to guess at what level the cookie was set, and try to verify that by deleting the cookie at that level (by settings expires
in the past). If the cookie disappears, you guessed right; if it's still there, try a different domain/path combination.