Session cookies are created in bootstrap.inc Line 702 with session_start() function. But there is no other configuration about session.

I would prefer Drupal to set its cookies only for the path it is working. And it will be better, I think, to use a different session name other than the default PHPSESSID.

Session name may be OPTIONAL and commented out in settings.php but path of the cookie MUST BE equal to the directory specified in $base_url

So:

settings.php

124: ini_set('session.use_trans_sid',    0);
125: ini_set('url_rewriter.tags',        '');
126: 
127: $path = parse_url($base_url);
128: ini_set('session.cookie_path',  $path["path"]);
129: //ini_set('session.name',  'DrupalSessionId');

I have these configurations on my test site and there is no error so far.

Note: I think not to set cookie for the working directory is a security vulnerability for applications that run on shared domain and use PHP's builtin session handlers because your cookie for your site in /path/to/drupal will be sent to the pages under /path/to and /path and /.

Comments

Egon Bianchet’s picture

Version: 4.7.0-rc2 » x.y.z
beginner’s picture

Version: x.y.z » 6.x-dev
Priority: Minor » Normal
pasqualle’s picture

Version: 6.x-dev » 7.x-dev
valthebald’s picture

Version: 7.x-dev » 8.x-dev
Status: Active » Closed (duplicate)
darren oh’s picture