diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc
index 6c69150..f0d4526 100644
--- a/core/includes/bootstrap.inc
+++ b/core/includes/bootstrap.inc
@@ -766,7 +766,7 @@ function drupal_settings_initialize() {
   global $base_url, $base_path, $base_root;
 
   // Export the following settings.php variables to the global namespace
-  global $databases, $cookie_domain, $conf, $installed_profile, $update_free_access, $db_url, $db_prefix, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url;
+  global $databases, $cookie_domain, $conf, $installed_profile, $update_free_access, $db_url, $db_prefix, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url, $session_cookie_path;
   $conf = array();
 
   if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) {
@@ -814,9 +814,18 @@ function drupal_settings_initialize() {
   $base_secure_url = str_replace('http://', 'https://', $base_url);
   $base_insecure_url = str_replace('https://', 'http://', $base_url);
 
+  // Set session cookie path.
+  // @see http://drupal.org/node/289145
+  if (!isset($session_cookie_path) || @strlen($session_cookie_path) < 1) {
+    $session_cookie_path = $base_path;
+  }
+  if (strlen($session_cookie_path) < 1) {
+    $session_cookie_path = '/';
+  }
+
   if ($cookie_domain) {
-    // If the user specifies the cookie domain, also use it for session name.
-    $session_name = $cookie_domain;
+    // If the user specifies the cookie domain and base path, use it for session name.
+    $session_name = $cookie_domain . $base_path;
   }
   else {
     // Otherwise use $base_url as session name, without the protocol
@@ -835,11 +844,6 @@ function drupal_settings_initialize() {
       $cookie_domain = '.' . $cookie_domain[0];
     }
   }
-  // Per RFC 2109, cookie domains must contain at least one dot other than the
-  // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
-  if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
-    ini_set('session.cookie_domain', $cookie_domain);
-  }
   // To prevent session cookies from being hijacked, a user can configure the
   // SSL version of their website to only transfer session cookies via SSL by
   // using PHP's session.cookie_secure setting. The browser will then use two
diff --git a/core/includes/session.inc b/core/includes/session.inc
index df70f0e..b661d69 100644
--- a/core/includes/session.inc
+++ b/core/includes/session.inc
@@ -235,7 +235,16 @@ function _drupal_session_write($sid, $value) {
  */
 function drupal_session_initialize() {
   global $user, $is_https;
+  global $session_cookie_path, $cookie_domain;
 
+  // Per RFC 2109, cookie domains must contain at least one dot other than the
+  // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
+  if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
+    session_set_cookie_params(session.cookie_lifetime, $session_cookie_path, $cookie_domain);
+  }
+  else {
+    session_set_cookie_params(session.cookie_lifetime, $session_cookie_path);
+  }
   session_set_save_handler('_drupal_session_open', '_drupal_session_close', '_drupal_session_read', '_drupal_session_write', '_drupal_session_destroy', '_drupal_session_garbage_collection');
 
   // We use !empty() in the following check to ensure that blank session IDs
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 360e556..99aceaf 100755
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -314,6 +314,18 @@ ini_set('session.cookie_lifetime', 2000000);
 # $cookie_domain = '.example.com';
 
 /**
+ * Potential security hole:
+ * if your cookie path is entire site but your drupal instance is down
+ * in a sub directory, the cookie should limit itself to that directory.
+ * If not, then if anybody else can grab the cookie (say in another directory
+ * that you don't control), they now have a copy of your cookie and can
+ * impersonate you on your own site.
+ * Be default, drupal figures session cookie path automatically,
+ * but you can override the default value.
+ */
+# $session_cookie_path='/';
+
+/**
  * Variable overrides:
  *
  * To override specific entries in the 'variable' table for this site,