Session cookies are created in bootstrap.inc Line 702 with session_start() function. But there is no other configuration about session.
I would prefer Drupal to set its cookies only for the path it is working. And it will be better, I think, to use a different session name other than the default PHPSESSID.
Session name may be OPTIONAL and commented out in settings.php but path of the cookie MUST BE equal to the directory specified in $base_url
So:
settings.php
124: ini_set('session.use_trans_sid', 0);
125: ini_set('url_rewriter.tags', '');
126:
127: $path = parse_url($base_url);
128: ini_set('session.cookie_path', $path["path"]);
129: //ini_set('session.name', 'DrupalSessionId');
I have these configurations on my test site and there is no error so far.
Note: I think not to set cookie for the working directory is a security vulnerability for applications that run on shared domain and use PHP's builtin session handlers because your cookie for your site in /path/to/drupal will be sent to the pages under /path/to and /path and /.
Comments
Comment #1
Egon Bianchet commentedComment #2
beginner commentedsubscribing.
This may be a duplicate, though:
http://drupal.org/project/issues?projects=3060&text=cookie_path&states=1...
Comment #3
pasqualleComment #4
valthebaldDuplicates #289145: Allow cookie_path for session cookies to be configured
Comment #5
darren oh