How Browsers Know What Cookies To Send To Server When Requesting?

I know how the cookies work, just started to dig why Codeigniter does not store generated csrf token in SESSION, it just store in cookie. Concerned about security, I'v started to

Solution 1:

Cookies are subject to the same origin policy: a site can only write and read cookies for its own domain.

Solution 2:

Cookies can only be set for the current domain or its subdomains as you have alredy found out (otherwise, anyone could replace anyone else's cookie; chaos would ensue). This is enforced by the browser: if you attempt to set cookies for another domain from the server side (using an HTTP header) the browser will ignore the cookie. If you attempt to do the same from the client side (using Javascript), the same origin policy will prevent you from doing so.

Therefore, www.evilsite.com can set a cookie for its own domain with Javascript, but that's not an issue: it could already do that using an HTTP header. There's no new attack vector here.

Solution 3:

[…] is it possible to set 'evil_cookie' with a path='/' and domain = 'www.goodsite.com' from another domain, from some 'www.evilsite.com'?

No, user agents should ignore Set-Cookie directives with Domain attributes that do not domain-match the current requested domain:

The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".

Such cookies would not even be accepted by user agents. Similar applies to the Path and Secure attributes.

See also How do browser cookie domains work? for examples of how the Domain attribute values are interpreted by user agents.