Is it poor practice to host multiple web applications on the same domain, in terms of cookies?


In my web application, I have a single API backend and two frontends written as single page applications. To simplify deployment, I’d like to serve the API on /api, the admin dashboard on /admin, and the end user frontend on /user (or something similar), all on the same domain.

I want to use cookies for handling sessions, for both the end-user and admin apps. Is this a good idea? As I understand it, cookie usage is restricted by their domain. Would it make it simpler for an attacker to steal admin-session cookies from someone logged into both frontends? Or, should I use different domains for the admin and user frontends (admin.mydomain.com and user.mydomain.com)?