Index: includes/bootstrap.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v
retrieving revision 1.161
diff -u -p -r1.161 bootstrap.inc
--- includes/bootstrap.inc	25 Apr 2007 21:34:31 -0000	1.161
+++ includes/bootstrap.inc	28 Apr 2007 15:23:02 -0000
@@ -254,13 +254,14 @@ function drupal_unset_globals() {
 }
 
 /**
- * Loads the configuration and sets the base URL correctly.
+ * Loads the configuration and sets the base URL, cookie domain, and
+ * session name correctly.
  */
 function conf_init() {
   global $base_url, $base_path, $base_root;
 
   // Export the following settings.php variables to the global namespace
-  global $db_url, $db_prefix, $conf, $installed_profile;
+  global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;
   $conf = array();
 
   include_once './'. conf_path() .'/settings.php';
@@ -288,6 +289,33 @@ function conf_init() {
       $base_path = '/';
     }
   }
+
+  if ($cookie_domain) {
+    // If the user specifies the cookie domain, also use it for session name.
+    $session_name = $cookie_domain;
+  }
+  else {
+    // Otherwise use $base_url for session name.
+    $session_name = $base_url;
+    // We try to set the cookie domain to the hostname.
+    if (!empty($_SERVER['HTTP_HOST'])) {
+      $cookie_domain = $_SERVER['HTTP_HOST'];
+    }
+  }
+  // Strip leading periods, www., and port numbers from cookie domain.
+  $cookie_domain = '.'. ltrim($cookie_domain, '.');
+  if (strpos($cookie_domain, 'www.') === 0) {
+    $cookie_domain = substr($cookie_domain, 0, 4);
+  }
+  $cookie_domain = array_shift(explode(':', $cookie_domain));
+  // Per RFC 2109, cookie domains must contain at least one dot other than the
+  // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
+  if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
+    ini_set('session.cookie_domain', $cookie_domain);
+  }
+  // The session name can only contain alphanumeric characters and must contain
+  // at least one letter.
+  session_name('SESS'. md5($session_name));
 }
 
 /**
Index: sites/default/settings.php
===================================================================
RCS file: /cvs/drupal/drupal/sites/default/settings.php,v
retrieving revision 1.54
diff -u -p -r1.54 settings.php
--- sites/default/settings.php	28 Mar 2007 14:08:22 -0000	1.54
+++ sites/default/settings.php	28 Apr 2007 15:23:04 -0000
@@ -137,27 +137,31 @@ ini_set('session.use_trans_sid',    0);
 ini_set('url_rewriter.tags',        '');
 
 /**
- * We try to set the correct cookie domain.
- */
-if (isset($_SERVER['HTTP_HOST'])) {
-  $domain = '.'. preg_replace('`^www\.`', '', $_SERVER['HTTP_HOST']);
-  // Per RFC 2109, cookie domains must contain at least one dot other than the
-  // first. For hosts such as 'localhost', we don't set a cookie domain.
-  if (count(explode('.', $domain)) > 2) {
-    ini_set('session.cookie_domain', $domain);
-  }
-}
-
-/**
- * On some sites, multiple domains or subdomains may point to the same site.
- * For instance, example.com may redirect to foo.example.com. In that case,
- * the browser may confuse the cookies between the two domains, resulting in
- * an inability to log in. In that case, uncomment the line below and set
- * it to the more generic domain name. For instance, .example.com is more
- * generic than .foo.example.com. Remember the leading period on the domain
- * name, even if you wouldn't type it in your browser.
+ * To prevent "inability to log in" issues for organizations with multiple URLs
+ * for one or more Drupal sites, Drupal will use a unique login session cookie
+ * for each URL.
+ *
+ * For instance, example.com, foo.example.com, example.com/bar, and
+ * example.com/bar2 will each have an unique login session cookie.
+ *
+ * However, for some organizations, multiple subdomains may point to the same
+ * site. For instance, foo.example.com may be an alias for www.example.com. In
+ * that case, users that log in to www.example.com will not be logged in to
+ * foo.example.com. To fix this issue, uncomment the line below and set it to
+ * the more generic domain name. For instance, example.com is more generic than
+ * foo.example.com.
+ *
+ * Other organizations may have separate Drupal sites in the same domain, but
+ * want to share a single login session using the $db_prefix option above. For
+ * instance: example.com/foo and example.com/bar have separate Drupal settings
+ * files, but share user and session database tables using $db_prefix. In that
+ * case, users that log in to example.com/foo will not be logged in to
+ * example.com/bar. To fix this issue, uncomment the line below and set it to
+ * the more generic domain name. For instance, example.com is more generic than
+ * foo.example.com. You will need to use this same value in your other
+ * settings.php files.
  */
-#ini_set('session.cookie_domain', '.example.com');
+#$cookie_domain = 'example.com';
 
 /**
  * Variable overrides: