Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By pwolanin on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.0.x
Introduced in version:
8.0.0-beta13
Issue links:
Description:
In Drupal 5.x as part of making sessions more stable across directories and domains, core began stripping any leading www. from the cookie domain #356357: Need: Drupal SEO Services
Given that most production sites now force a www. or non-www domain, the minor win in terms of user experience is no longer worth the decrease in security that comes from leaking the users' session cookies to all subdomains.
As of this change, a leading www. no longer will be stripped, and users will not be logged in with the same session on http://www.example.com and http://example.com
If you need to restore the prior behavior, you can set the cookie_domain setting in your site-specific services.yml file to be the bare domain without www. Or, if you have more complex needs, you can subclass or re-implement Drupal\Core\Session\SessionConfiguration and change the class used by the session_configuration service
Impacts:
Site builders, administrators, editors
