The scope of cookies without a domain is limited to the current server.
The current logic is always wrong because either it's the same server
and the new cookie should supersede the old one, or it's a different
server and the old cookie should not be sent. This logic is still far
from RFC-compliant, but at least it should get it right some of the time.