If a user has a cookie for example.com (your domain) and type in vendor.example.com in the web browser how would you invalidate these cookies before they are sent to the vendor? Or even after they are sent? I struggle a bit with seeing how this could be done in a secure manner.
