Wow, still relevant in 2020. Only thing that works for me is to leave cookie domains blank on both domain.com and dev.domain.com (I use non-www same as OP) and then set different backend admin urls via Custom Admin Path setting in admin. Obviously you have to do this via database if you can't access directly.

Anyone comment on the dangers of leaving cookie domain empty like I do? I do periodically have customers with login redirects, but it's not common and not sure if setting domains will help anyway.

Wow, still relevant in 2020. Only thing that works for me is to leave cookie domains blank on both domain.com and dev.domain.com (I use non-www same as OP) and then set different backend admin urls via Custom Admin Path setting in admin. Obviously you have to do this via database if you can't access directly.

Anyone comment on the dangers of leaving cookie domain empty like I do? I do periodically have customers with login redirects, but it's not common and not sure if setting domains will help anyway.

Edit: domain.com and dev.domain.com seem to work fine in combination with my above answer using custom domain paths different for admins. Will update if any issues.