Two cookies set: "example.com" and ".example.com"

[airblade]

Hello!

I recently upgraded from 1.6.0 to 2.1.0 and I'm on Rails 6.0.0.

I have noticed that Clearance sets two cookies when I sign in: one for the domain .example.com and another for example.com. They have the same name (remember_token), value, path (/), and size. They differ as follows:

Field	.example.com	example.com
Expires	In 1 year	Session
Secure	Yes	No
HttpOnly	Yes	No
SameSite	Lax	-

Here is an excerpt from my configuration:

Clearance.configure do |config|
  config.allow_sign_up          = false
  config.cookie_domain          = (Rails.env.production? ? '.example.com' : nil)
  config.routes                 = false
  config.rotate_csrf_on_sign_in = true
  config.httponly               = true
  config.secure_cookie          = Rails.env.production?
  config.same_site              = :lax
end

When I log out Clearance deletes the .example.com cookie but leaves the other one alone.

It looks to me like the .example.com cookie is the "correct" one and the other one is bogus. How do I ensure the other one isn't created in the first place?

Also, I don't use subdomains at all – so should I actually be setting the cookie domain to example.com instead of .example.com?

Many thanks in advance.