Follow-up to #2522002: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains
Problem/Motivation
These comments in he comments in default.services.yml are not clear:
# Drupal automatically generates a unique session cookie name based on the
# full domain name used to access the site. This mechanism is sufficient
# for most use-cases, including multi-site deployments. However, if it is
# desired that a session can be reused across different subdomains, the
# cookie domain needs to be set to the shared base domain. Doing so assures
# that users remain logged in as they cross between various subdomains.
# To maximize compatibility and normalize the behavior across user agents,
# the cookie domain should start with a dot.
#
Proposed resolution
Update the documentation to clarify something like 'Sessions themselves will only be synchronized across subdomains if they are all served from the same Drupal installation or if some other session sharing mechanism is implemented'.
Remaining tasks
patch
review
User interface changes
None
API changes
nnone
Data model changes
none
Comments
Comment #1
naveenvalechaComment #2
pwolanin CreditAttribution: pwolanin as a volunteer commentedComment #13
catchThe proposed solution is outdated since we no longer support individual table prefixing in core.
I think this should be something like 'Sessions themselves will only be synchronized across subdomains if they are all served from the same Drupal installation or if some other session sharing mechanism is implemented'.
Comment #14
larowlanComment #15
mradcliffeI added the tag for Portland2022. To work on Bug Smash Initiative issue, first follow the How to Help section. We should triage this issue and update the issue summary.