Then don't put anything on the root domain and use www.paypal.com for the main operations. corp.paypal.com's cookies are separated from www.paypal.com's.
Then don't put anything on the root domain and use www.paypal.com for the main operations. corp.paypal.com's cookies are separated from www.paypal.com's.
But paypal.com's cookies are shared with corp.paypal.com and, depending on headers and fields, possibly vice versa.
My browser lists 8 .paypal.com cookies and 2 www.paypal.com cookies when I visit www.paypal.com. Those cookies are shared with https://fastlane.paypal.com/ (some random subdomain I found online).
They can separate those cookies out, of course, but they don't need to if they use separate domains and the cheapest work is work that doesn't need doing.
They also seem to own paypal.ai which mcp.paypal.com redirects to the docs of it could also just be a branding thing.
www.paypal.com can create cookie for paypal.com and that cookie will be sent for corp.paypal.com requests. And vice-versa, of course.