If WordPress is installed in /subfolder/, then the authentication cookies will by default only valid for that path.
So if needed, you can allow the cookies in parent directory by setting the cookie constants like COOKIEPATH.
For example, if I had WordPress installed at example.com/wp/ and I wanted the authentication works at example.com/, then I’d define the following in wp-config.php: (but I don’t know much about the differences between the SITECOOKIEPATH and COOKIEPATH, other than that the former seems to be specific to Multisite)
define( 'COOKIEPATH', "https://wordpress.stackexchange.com/" );
define( 'SITECOOKIEPATH', "https://wordpress.stackexchange.com/" );
define( 'ADMIN_COOKIE_PATH', '/wp/wp-admin' );
But the thing is, you’d need to logout first before applying the above changes, and so does with all other users who were already logged-in on your site, i.e. log out before you applied the above changes.
So you’d want to just invalidate all (existing) WordPress cookies by changing the security keys like LOGGED_IN_KEY — all users will have to login again, but at least, they’d be able to login properly.