Index: includes/bootstrap.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v
retrieving revision 1.458
diff -u -p -r1.458 bootstrap.inc
--- includes/bootstrap.inc	28 Dec 2010 19:14:48 -0000	1.458
+++ includes/bootstrap.inc	29 Dec 2010 17:07:41 -0000
@@ -590,6 +590,11 @@ function drupal_settings_initialize() {
   if ($cookie_domain) {
     // If the user specifies the cookie domain, also use it for session name.
     $session_name = $cookie_domain;
+    // Per RFC 2109, cookie domains must start with a dot. We check if the user
+    // has omitted the first dot and add it if that is the case.
+    if (ord($cookie_domain) !== 46) {
+      $cookie_domain = '.' . $cookie_domain;
+    }
   }
   else {
     // Otherwise use $base_url as session name, without the protocol
Index: sites/default/default.settings.php
===================================================================
RCS file: /cvs/drupal/drupal/sites/default/default.settings.php,v
retrieving revision 1.51
diff -u -p -r1.51 default.settings.php
--- sites/default/default.settings.php	11 Oct 2010 23:49:48 -0000	1.51
+++ sites/default/default.settings.php	29 Dec 2010 17:07:41 -0000
@@ -286,9 +286,10 @@ ini_set('session.cookie_lifetime', 20000
  * the same Drupal site, you can either redirect them all to a single domain
  * (see comment in .htaccess), or uncomment the line below and specify their
  * shared base domain. Doing so assures that users remain logged in as they
- * cross between your various domains.
+ * cross between your various domains. Make sure to always prefix the base
+ * domain with a dot.
  */
-# $cookie_domain = 'example.com';
+# $cookie_domain = '.example.com';
 
 /**
  * Variable overrides: