Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.161 diff -u -F^f -r1.161 bootstrap.inc --- includes/bootstrap.inc 25 Apr 2007 21:34:31 -0000 1.161 +++ includes/bootstrap.inc 28 Apr 2007 18:56:25 -0000 @@ -254,13 +254,14 @@ function drupal_unset_globals() { } /** - * Loads the configuration and sets the base URL correctly. + * Loads the configuration and sets the base URL, cookie domain, and + * session name correctly. */ function conf_init() { global $base_url, $base_path, $base_root; // Export the following settings.php variables to the global namespace - global $db_url, $db_prefix, $conf, $installed_profile; + global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile; $conf = array(); include_once './'. conf_path() .'/settings.php'; @@ -288,6 +289,31 @@ function conf_init() { $base_path = '/'; } } + + if ($cookie_domain) { + // If the user specifies the cookie domain, also use it for session name. + $session_name = $cookie_domain; + } + else { + // Otherwise use $base_url for session name. + $session_name = $base_url; + // We try to set the cookie domain to the hostname. + if (!empty($_SERVER['HTTP_HOST'])) { + $cookie_domain = $_SERVER['HTTP_HOST']; + } + } + // Strip leading periods, www., and port numbers from cookie domain. + $cookie_domain = ltrim($cookie_domain, '.'); + if (strpos($cookie_domain, 'www.') === 0) { + $cookie_domain = substr($cookie_domain, 4); + } + $cookie_domain = '.'. array_shift(explode(':', $cookie_domain)); + // Per RFC 2109, cookie domains must contain at least one dot other than the + // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain. + if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) { + ini_set('session.cookie_domain', $cookie_domain); + } + session_name('SESS'. md5($session_name)); } /** Index: sites/default/settings.php =================================================================== RCS file: /cvs/drupal/drupal/sites/default/settings.php,v retrieving revision 1.54 diff -u -F^f -r1.54 settings.php --- sites/default/settings.php 28 Mar 2007 14:08:22 -0000 1.54 +++ sites/default/settings.php 28 Apr 2007 18:56:25 -0000 @@ -137,27 +137,14 @@ ini_set('url_rewriter.tags', ''); /** - * We try to set the correct cookie domain. - */ -if (isset($_SERVER['HTTP_HOST'])) { - $domain = '.'. preg_replace('`^www\.`', '', $_SERVER['HTTP_HOST']); - // Per RFC 2109, cookie domains must contain at least one dot other than the - // first. For hosts such as 'localhost', we don't set a cookie domain. - if (count(explode('.', $domain)) > 2) { - ini_set('session.cookie_domain', $domain); - } -} - -/** - * On some sites, multiple domains or subdomains may point to the same site. - * For instance, example.com may redirect to foo.example.com. In that case, - * the browser may confuse the cookies between the two domains, resulting in - * an inability to log in. In that case, uncomment the line below and set - * it to the more generic domain name. For instance, .example.com is more - * generic than .foo.example.com. Remember the leading period on the domain - * name, even if you wouldn't type it in your browser. - */ -#ini_set('session.cookie_domain', '.example.com'); + * Drupal automatically generates a unique session cookie name for each site + * based on on its full domain name. If you have multiple domains pointing at + * the same Drupal site, you can either redirect them all to a single + * domain (see comment in .htaccess), or uncomment the line below and specify + * their shared base domain. +*/ + +#$cookie_domain = 'example.com'; /** * Variable overrides: