Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.161 diff -u -p -r1.161 bootstrap.inc --- includes/bootstrap.inc 25 Apr 2007 21:34:31 -0000 1.161 +++ includes/bootstrap.inc 27 Apr 2007 02:41:36 -0000 @@ -254,13 +254,14 @@ function drupal_unset_globals() { } /** - * Loads the configuration and sets the base URL correctly. + * Loads the configuration and sets the base URL, cookie domain, and + * session name correctly. */ function conf_init() { global $base_url, $base_path, $base_root; // Export the following settings.php variables to the global namespace - global $db_url, $db_prefix, $conf, $installed_profile; + global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile; $conf = array(); include_once './'. conf_path() .'/settings.php'; @@ -288,6 +289,29 @@ function conf_init() { $base_path = '/'; } } + + if ($cookie_domain) { + // If the user specifies the cookie domain, also use it for session name. + $session_name = $cookie_domain; + } + else { + // Otherwise use $base_url for session name. + $session_name = $base_url; + // We try to set the cookie domain to the hostname. + if (!empty($_SERVER['HTTP_HOST'])) { + $cookie_domain = $_SERVER['HTTP_HOST']; + } + } + // Strip leading periods, www., IP addresses, and port numbers from cookie domain. + $cookie_domain = '.'. preg_replace('`(^\.?(www\.|)|[\d:\.]+$)`', '', $cookie_domain); + // Per RFC 2109, cookie domains must contain at least one dot other than the + // first. For hosts such as 'localhost', we don't set a cookie domain. + if (count(explode('.', $cookie_domain)) > 2) { + ini_set('session.cookie_domain', $cookie_domain); + } + // The session name can only contain alphanumeric characters and must contain + // at least one letter. + session_name('SESS'.preg_replace('`(^https?://(www\.|)|[^a-z\d])`i', '', $session_name)); } /** Index: sites/default/settings.php =================================================================== RCS file: /cvs/drupal/drupal/sites/default/settings.php,v retrieving revision 1.54 diff -u -p -r1.54 settings.php --- sites/default/settings.php 28 Mar 2007 14:08:22 -0000 1.54 +++ sites/default/settings.php 27 Apr 2007 02:41:36 -0000 @@ -137,27 +137,31 @@ ini_set('session.use_trans_sid', 0); ini_set('url_rewriter.tags', ''); /** - * We try to set the correct cookie domain. - */ -if (isset($_SERVER['HTTP_HOST'])) { - $domain = '.'. preg_replace('`^www\.`', '', $_SERVER['HTTP_HOST']); - // Per RFC 2109, cookie domains must contain at least one dot other than the - // first. For hosts such as 'localhost', we don't set a cookie domain. - if (count(explode('.', $domain)) > 2) { - ini_set('session.cookie_domain', $domain); - } -} - -/** - * On some sites, multiple domains or subdomains may point to the same site. - * For instance, example.com may redirect to foo.example.com. In that case, - * the browser may confuse the cookies between the two domains, resulting in - * an inability to log in. In that case, uncomment the line below and set - * it to the more generic domain name. For instance, .example.com is more - * generic than .foo.example.com. Remember the leading period on the domain - * name, even if you wouldn't type it in your browser. + * To prevent "inability to log in" issues for organizations with multiple URLs + * for one or more Drupal sites, Drupal will use an unique login session cookie + * for each URL. + * + * For instance, example.com, foo.example.com, example.com/bar, and + * example.com/bar2 will each have an unique login session cookie. + * + * However, for some organizations, multiple subdomains may point to the same + * site. For instance, foo.example.com may be an alias for www.example.com. In + * that case, users that log in to www.example.com will not be logged in to + * foo.example.com. To fix this issue, uncomment the line below and set it to + * the more generic domain name. For instance, example.com is more generic than + * foo.example.com. + * + * Other organizations may have separate Drupal sites in the same domain, but + * want to share a single login session using the $db_prefix option above. For + * instance: example.com/foo and example.com/bar have separate Drupal settings + * files, but share user and session database tables using $db_prefix. In that + * case, users that log in to example.com/foo will not be logged in to + * example.com/bar. To fix this issue, uncomment the line below and set it to + * the more generic domain name. For instance, example.com is more generic than + * foo.example.com. You will need to use this same value in your other + * settings.php files. */ -#ini_set('session.cookie_domain', '.example.com'); +#$cookie_domain = 'example.com'; /** * Variable overrides: