diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 83231b0..58a9a50 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -725,7 +725,7 @@ function drupal_settings_initialize() {
   global $base_url, $base_path, $base_root;
 
   // Export these settings.php variables to the global namespace.
-  global $databases, $cookie_domain, $conf, $installed_profile, $update_free_access, $db_url, $db_prefix, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url;
+  global $databases, $cookie_domain, $cookie_path, $conf, $installed_profile, $update_free_access, $db_url, $db_prefix, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url;
   $conf = array();
 
   if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) {
@@ -765,8 +765,13 @@ function drupal_settings_initialize() {
   $base_insecure_url = str_replace('https://', 'http://', $base_url);
 
   if ($cookie_domain) {
-    // If the user specifies the cookie domain, also use it for session name.
+    // If the user specifies the cookie domain, use it for session name.
     $session_name = $cookie_domain;
+
+    // If the user specifies the cookie path, include it in session name.
+    if ($cookie_path && $cookie_path !== '/') {
+      $session_name .= $cookie_path;
+    }
   }
   else {
     // Otherwise use $base_url as session name, without the protocol
@@ -785,11 +790,16 @@ function drupal_settings_initialize() {
       $cookie_domain = '.' . $cookie_domain[0];
     }
   }
+
   // Per RFC 2109, cookie domains must contain at least one dot other than the
   // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
   if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
     ini_set('session.cookie_domain', $cookie_domain);
   }
+  if ($cookie_path && $cookie_path !== '/') {
+    ini_set('session.cookie_path', $cookie_path);
+  }
+
   // To prevent session cookies from being hijacked, a user can configure the
   // SSL version of their website to only transfer session cookies via SSL by
   // using PHP's session.cookie_secure setting. The browser will then use two
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 7e36a4a..9fdea27 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -326,6 +326,14 @@ ini_set('session.cookie_lifetime', 2000000);
 # $cookie_domain = '.example.com';
 
 /**
+ * By default, Drupal sets cookies to the root path of the domain, which causes
+ * session cookies to be available across sites within subdirectories on the
+ * same domain. To restrict cookies by path, uncomment the line below and
+ * specify the site's path.
+ */
+# $cookie_path='/';
+
+/**
  * Variable overrides:
  *
  * To override specific entries in the 'variable' table for this site,
