Say you set a session cookie that spans multiple subdomains (cookie domain = `.example.com`).

Now, if one of your authenticated users visits the wrong subdomain, they are directed to a server of name.com's choice.

That server now has access to your user's session ID (using Javascript or PHP or whatever to read the cookie).