It's allegedly possible to open a tab with the login page, log in to a remote machine A, then open a second tab which will give the login page again (as it has a different URL due to the nonexisting =nostname), and log into machine B.

Then requests from machine B get both login cookies for both sessions. If that is really true, then machine B can completely own machine A.

This needs to be disallowed. Either ws will plainly reject a request with a cookie for a non-matching host (403 page), or redirect it to the existing session.