Nevermind, I tweaked the two address for the blog since they were weird to get to work the first time under a subdomain. It seems to work fine right now, and cookies are being passed correctly to the browser.
You can shorten the valid time frame on the cookie that is issued when someone enters a password to view a protected post. If you go into your wp-config.php file, edit the following line:
setcookie('wp-postpass_' . COOKIEHASH, $_POST['post_password'], time() + 864000);
Change the “864000” number to something smaller…it’s set to 10 days (in seconds), so maybe try something shorter like 300 (for 5 minutes). It might be annoying to have to re-enter a password if you refresh the page, but it will ensure that those posts don’t stay unprotected for too long.
