#56357 by JohnAlbin, et al. Improve cookie naming to prevent conflicting cookies set on the same domain name.

2007-07-09 04:28:12 +00:00 · 2007-07-09 04:28:12 +00:00 · 7146cb7eeb
parent f9d72b469e
commit 7146cb7eeb
2 changed files with 44 additions and 22 deletions
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@ -230,11 +230,16 @@ function drupal_unset_globals() {
 }

 /**
- * Loads the configuration and sets the base URL correctly.
+ * Loads the configuration and sets the base URL, cookie domain, and
+ * session name correctly.
 */
 function conf_init() {
-  global $db_url, $db_prefix, $base_url, $base_path, $base_root, $conf, $installed_profile;
+  global $base_url, $base_path, $base_root;
+
+  // Export the following settings.php variables to the global namespace
+  global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;
  $conf = array();
+
  include_once './'. conf_path() .'/settings.php';

  if (isset($base_url)) {
@ -260,6 +265,36 @@ function conf_init() {
      $base_path = '/';
    }
  }
+
+  if (!$cookie_domain) {
+    // If the $cookie_domain is empty, try to use the session.cookie_domain.
+    $cookie_domain = ini_get('session.cookie_domain');
+  }
+  if ($cookie_domain) {
+    // If the user specifies the cookie domain, also use it for session name.
+    $session_name = $cookie_domain;
+  }
+  else {
+    // Otherwise use $base_url for session name.
+    $session_name = $base_url;
+    // We try to set the cookie domain to the hostname.
+    if (!empty($_SERVER['HTTP_HOST'])) {
+      $cookie_domain = $_SERVER['HTTP_HOST'];
+    }
+  }
+  // Strip leading periods, www., and port numbers from cookie domain.
+  $cookie_domain = ltrim($cookie_domain, '.');
+  if (strpos($cookie_domain, 'www.') === 0) {
+    $cookie_domain = substr($cookie_domain, 4);
+  }
+  $cookie_domain = explode(':', $cookie_domain);
+  $cookie_domain = '.'. $cookie_domain[0];
+  // Per RFC 2109, cookie domains must contain at least one dot other than the
+  // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
+  if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
+    ini_set('session.cookie_domain', $cookie_domain);
+  }
+  session_name('SESS'. md5($session_name));
 }

 /**
--- a/sites/default/settings.php
+++ b/sites/default/settings.php
@ -137,27 +137,14 @@ ini_set('session.use_trans_sid',    0);
 ini_set('url_rewriter.tags',        '');

 /**
- * We try to set the correct cookie domain.
+ * Drupal automatically generates a unique session cookie name for each site
+ * based on on its full domain name. If you have multiple domains pointing at
+ * the same Drupal site, you can either redirect them all to a single domain
+ * (see comment in .htaccess), or uncomment the line below and specify their
+ * shared base domain. Doing so assures that users remain logged in as they
+ * cross between your various domains.
 */
-if (isset($_SERVER['HTTP_HOST'])) {
-  $domain = '.'. preg_replace('`^www\.`', '', $_SERVER['HTTP_HOST']);
-  // Per RFC 2109, cookie domains must contain at least one dot other than the
-  // first. For hosts such as 'localhost', we don't set a cookie domain.
-  if (count(explode('.', $domain)) > 2) {
-    ini_set('session.cookie_domain', $domain);
-  }
-}
-
-/**
- * On some sites, multiple domains or subdomains may point to the same site.
- * For instance, example.com may redirect to foo.example.com. In that case,
- * the browser may confuse the cookies between the two domains, resulting in
- * an inability to log in. In that case, uncomment the line below and set
- * it to the more generic domain name. For instance, .example.com is more
- * generic than .foo.example.com. Remember the leading period on the domain
- * name, even if you wouldn't type it in your browser.
- */
-#ini_set('session.cookie_domain', '.example.com');
+# $cookie_domain = 'example.com';

 /**
 * Variable overrides: