Session cookie for multiple domains. Security concerns

Question

I think this is kind of a trivial question, but I got an idea that I want to share and ask if it is even necessary.

I have 3 react apps as 3 different subdomains - auth.site.com, client.site.com and admin.site.com, and a django backend at api.site.com.

Now it works like this:

1. User logins from auth, through api.site.com
2. Django sets session cookie with Domain=.site.com
3. User is redirected to the allowed react app (client or admin)

But... This way I can't set the cookie to specific react app subdomain, because Set-Cookie header is sent from api and browser rejects it if domain is not .site.com

Second approach:

1. User logins at auth
2. User is redirected to, for example admin.site.com/internal/setcookie/<long_long_token> (web server sends these /internal/* paths to django instead of react)
3. At that view, django gets the session from this one-time <long_long_token>, and sets the cookie with Domain=admin.site.com.
4. User is redirected to /

Considerations

First of all, I wonder if can I even use this, will the browser not send cookies to api.site.com when session cookie has a Domain=admin.site.com?

Also, I don't like that if user logins and is redirected to client, he can still just change subdomain to admin and will still have access (right now I have strong permission protection from this).

And finally, I hate that if I login at client, and then login to admin as another user, session at client will not work anymore because the cookie was overridden...