www.abc.com drupal cookie can't be read by www.xyz.com drupal...

I haven't dug into the code, but setting the cookie domain with a leading '.' (.drupal.org) would take care of that.

It does work. I do this with a postnuke installation and just tested it with drupal-cvs. If you want to try it you can edit user.module line 579 (this is the line number in a cvs snapshot from a couple days ago, not sure of the number for 4.1). Find:

setcookie(session_name(), session_id(), time() + 3600 * 24 * 365);

replace it with:

setcookie(session_name(), session_id(), time() + 3600 * 24 * 365, "/", ".yourdomain.com");

changing 'yourdomain' for your domain name

I have done some research , specifically re: single logins across multiple domains.

IE: log into osdn (slashdot) , and you are logged into thinkgeek and newsforge aswell. (all running on totally different domains , not even subdomains).

It seems the trick is to use a web bug. ie : an tag pointing to a php script lying on the main domain (ie: osdn.com) , when you are on a new domain that doesnt have a login session .. it replicates the login cookie from the main site via headers.

I am still doing more research into this , as I realized single login -> multiple domains are something i could really use =)

adrian's work aside, I think that the easiest way to address www.mysite.org versus mysite.org, at least for me, was to set $base_url in include/conf.php to www.mysite.org.

This way, anyone accessing my site at mysite.org has to follow a link to www.mysite.org in order to log in, so the cookie is always set that way.

Moving logins from *.mysite.org to *.anothersite.org is another matter entirely. And a lot more work!

there is no bug or clear feature request in here. marking 'by design'

Disagree with marking BY DESIGN.
Have changed to a feature request and updated the summary.

Drupal should redirect users from http://www.foo.com to http://foo.com in order to resolve issues with the handling of cookies between these domains.

This should probably be an admin-configurable option, or maybe even provided by an additional module using the _init hook?

Have a look at redirect.module in Contrib. I forgot that I wrote that
oen. Wil work finr for this purpose. It uses the _init() hook as you
suggest.

Al Maw wrote:

Hmmm... I'm not sure quite what to do with this one. I'm tempted to WONTFIX it, as the problem can be solved elsewhere. However, this is a common problem, as most people these days run sites at foo.com and www.foo.com and expect people to appear from either.

Lots of people have this issue, so I'm therefore thinking that a fix that solves this problem should be incorporated into the core Drupal release, and not be something you can do with a contrib module provided you read all the docs and hunt around for it.

What do other people think?

Can't you define the session.cookie_domain variable in your .htaccess file, or set it on the fly using session_set_cookie_params()?

Yes, you can, but its an inferior solution, as lots of IE6 users have their default security policy set up to block cross-domain cookie use.

The fixes suggested by Paul_C and Dries do indeed work. Just set the cookie with a leading '.'. I tested with several browsers. See drupal.org, which sets its cookie to .drupal.org.

I think this is a documentation issue at this point.

Adrian wrote some time ago:
I have done some research , specifically re: single logins across multiple domains.
IE: log into osdn (slashdot) , and you are logged into thinkgeek and newsforge aswell. (all running on totally different domains , not even subdomains).
It seems the trick is to use a web bug. ie : an tag pointing to a php script lying on the main domain (ie: osdn.com) , when you are on a new domain that doesnt have a login session .. it replicates the login cookie from the main site via headers.
I am still doing more research into this , as I realized single login -> multiple domains are something i could really use =)

Adrian's not the only one. Right now, using Drupal 'anywhere' logins, you have no selectivity if you open up your site to that... Any domain would work, and going from domain www.abc.com to www.xyz.com is NOT transparent, but requires yet another login (even if you could login using username@www.abc.com).
Please note this is NOT the same thing as sitea.abc.com and siteb.abc.com (which we have now)
Domain cookie security requires a work around to allow.
(See http://support.softartisans.com/kbview.aspx?ID=666 for an example I found that uses ASP)
Adrian's description is pretty much the same idea.

Adding this functionality would allow someone with 2 or more related drupal-running domains to easily share users as they can (say all using a single user table prefix) AND not force that user to relogin when going from one to the others...

When you think of all of the drupal-using multiple site hosts where the userbase is shared, this is a much needed functionality, and should be as simple as a user.module cookie change, combined with a conf.php addition (Is this site the master cookie, or a slave cookie? If master, what sites will I slave to, and if slave what site is my master cookie...)

in your php settings, you control what domain you wish to set cookies on. in your example, you could set the cookie on .abc.com and it is readable by both domains.

you might be interested in sso.module: http://drupal.org/project/sso. this module enables single sign on across dissimilar domains.

"In your php settings, you control what domain you wish to set cookies on. in your example, you could set the cookie on .abc.com and it is readable by both domains."

That won't work for anyone who has cross-domain cookies off due to security (a default setting).
Setting .abc.com from .xyz.com is consider a poor practice and dangerous, so it's blocked.

However this _will_ work:

"you might be interested in sso.module: http://drupal.org/project/sso. this module enables single sign on across dissimilar domains"

It's deleted from the current CVS, so most links are broken, but looking in the attic, it's there (yeah for CVS). This does EXACTLY what I want, the right way.

But it's unmaintained... someone feel like taking it on, or do I have go get a drupal account for myself and do it? I can't even move this thread to the sso project...

How do you get the cookie from being lost when you have a setup like mine.

You can get to my site by multiple methods:

http://www.apockotos.com <- Baseurl set in the settings

But the site can be accessed by:

http://apockotos.com
http://www.apokotos.com
http://apokotos.com
http://www.peterapockotos.com
http://peterapockotos.com

and if someone does use these alternatives the cookie is lost and user has to re-login.

Is there an easy resolution for this?

Feature request moving to cvs.

From settings.php:

/**
 * Drupal automatically generates a unique session cookie name for each site
 * based on on its full domain name. If you have multiple domains pointing at
 * the same Drupal site, you can either redirect them all to a single domain
 * (see comment in .htaccess), or uncomment the line below and specify their
 * shared base domain. Doing so assures that users remain logged in as they
 * cross between your various domains.
 */
# $cookie_domain = 'example.com';

If you want a single, shared login across multiple domains (base domains), you might want to use http://drupal.org/project/singlesignon module. However, Drupal core won't support such advanced use-cases by default, because they require some more trickery and you should know what you are doing and why you are doing something.

I know this is an old issue, but the title is exactly what I need (even if the message bodies might have gotten more specific.)

I have a Drupal site that allows users to have custom subdomains. Consider the following:

• The main site is www.abc.com, and the $cookie_domain is set to www.abc.com.
• A CNAME record is created for www.xyz.com that points to www.abc.com.
• Everything works properly, except that when the user tries to log onto www.xyz.com, the page just refreshes - the user can't log in.
• Changing the $cookie_domain to www.xyz.com allows logins to xyz.com, but logins to abc.com stop working.
• UNLIKE the situations outlined above, I don't care if the sessions are maintained when switching between domains - I just need logins to work.

I haven't fully tried it yet, but would setting the following in settings.php work?
$cookie_domain = $_SERVER['HTTP_HOST'];