htaccess – Cookies for www and non-www different

This is arguably a problem with your server-side application and how you are setting cookies (if this behaviour is undesirable), rather than the browser per se. In order to set a cookie, you determine on what domain (or rather, what part of the current hostname) the cookie is set. If your application is setting two different cookies, one for the www subdomain and one for the domain apex, then it’s setting the cookie on the requested hostname only, rather than the domain apex (and all subdomains).

However, redirecting from one to the other would workaround the issue since it obviously prevents the site being accessible from the non-canonical hostname and the application can’t then set a cookie on it. (Note that browsers will continue to send the Cookie header on the non-canonical hostname, whilst it’s still valid in the browser.)

If the non-www hostname is canonical then you should indeed be redirecting from www to non-www…

RewriteCond %{HTTP_HOST} ^www.example.org$
RewriteRule (.*) http://example.org/$1 (L,R=301)

This is close, but you have a typo in the RewriteRule pattern that will prevent it from matching “most” URLs… (.*) matches a literal *, which is probably not the intention. It should simply be (.*) to match “everything” (no backslash escape before the *).

You should also presumably be redirecting to HTTPS, not plain old HTTP? And if only have the one domain then you can simplify the condition to match just www at the start of the hostname, rather than matching the entire hostname.

For example:

RewriteCond %{HTTP_HOST} ^www. (NC)
RewriteRule (.*) https://example.org/$1 (L,R=301)