Allow cookie_path for session cookies to be configured

Re-published this issue and moved it to D7.

Summary of #456 on s.d.o:

If drupal is installed in http://www.example.com/drupal, setting the cookie path to /drupal offers little additional security because another application installed in http://www.example.com/evilapp can still access the drupal cookie. See item #3 at http://code.google.com/p/doctype/wiki/ArticleCompartmentalizingApplications

But it might be cleaner to set the right cookie path, so I'll keep this issue active for future versions.

Patch no longer applies.

#4: session-cookie-path-289145.patch queued for re-testing.

This could be a major security issue. Is there any reason why this hasn't been integrated into core?

Because setting the path offers little to no security.

It might offer no security, but it is still useful for people running multiple Drupal sites on the same domain. Right now I have one site in the root directory, and one site in a subdirectory, and visiting one logs you out of the other because they both create a session on the root path.

Yes, I agree it should still be fixed despite not being a security issue. I was just arguing against the statement that this could be a "major security issue".

As I understand the code, multiple sites across root and subdirectories should not conflict if $cookie_domain is not set. Since the subdirectory is included in $base_url, it is also used in determining the session name when the cookie domain is being dynamically determined, and each site should receive a unique hash. Once $cookie_domain is specified, however, all sites will receive the same hash based on only $cookie_domain, and there is no way to prevent a conflict between sessions on multiple sites.

Here's a patch with a different approach, as I tried to remove any disturbance for existing sites, but enable use of a path in setting cookies if needed.

What about adding that into $conf instead of including another global variable?

Re-roll.

This version of the patch uses $conf as suggested in #13.

This patch uses the existing $base_path instead of having it be configurable. This is the approach used in language_cookie module in #2882384: Set cookie path to the root folder of Drupal installation.

This is #16 with a better comment.

Liam, have you confirmed that this issue exists in Drupal 9?

Yes, I am observing this in Drupal 9.2.x. It can be fixed on a per-site basis by putting this in the site's settings.php:

ini_set('session.cookie_path', '/' . '/site/path');

Raised the same issue @https://www.drupal.org/project/drupal/issues/3268422.

Problem description :-

The application uses a cookie The path attribute is '/' as default which exposes Security Misconfiguration vulnerability
Enable the SECURE attribute to disallow the cookie to be sent over an unencrypted channel.
The 'path' attribute signifies the URL or path for which the cookie is valid. The proper scope of the ‘path’ attribute should be set. Example: If the application resides at /myapp/, then set to ""; path=/myapp/"" and NOT ""; path=/"".

Drupal version : 9.3.x

Attempted Solution :-:-

Tried with ini_set('session.cookie_path', '/' . '/site/path'); in settings.php but didn't work for me.

Help Required :-:-

Looking for a patch which can work for >=9.3 version.

The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Some more explanation about why this would not be a security measure: https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie#security