I'll answer your second question first.
Set abort to true, then add a record to your hostnames table for your main domain. This works because the subdomain check only looks at the hostnames table, not the websites table, so you don't need it to be a full tenant, just a "reserved" hostname.
As for sharing the session, that's actually covered in the laravel docs. I don't have a link handy for you, but should be easily found by searching for
SESSION_DOMAIN. In short, the session cookie will be restricted to the current domain (i.e. example.com). What you want is *.example.com. In cookie terminology, this is achieved by using
.example.com (note the leading dot)