A: Wrong. You should be able to access sub-domain
B: Wrong, HttpOnlyCookie can only be set from server side. Securemeans https only;
C: Correct. If you don't set the max time for cookie, it works like a session
D: Correct. By default, it set Same-Site=Lax
SameSite=Lax: This is a less restrictive model than Strict. Cookies will be withheld on cross-site subrequests, like loading images or frames, but will be sent when a user navigates to the URL from an external site, like by following a link.
