When using cookie storage, the global cookie domain is not respected. There is a note in code about deliberately doing this to avoid setting the domain of the cookie to an invalid domain such as '.localhost'. However, in that case, the global $cookie_domain variable is misunderstood -- the whole point of it is so that it can be overwritten in settings.php for a variety of multisite installations. (See the comments in default.settings.php)

So the attached patch reinstates the use of the global $cookie_domain variable. If people are getting their cookies set at '.localhost', then the variable needs to be set correctly in Drupal's settings.php file, but this module should not need to reimplement this.

CommentFileSizeAuthor
session-cache-cookie-domain.patch767 bytesjames.williams

Comments

rdeboer’s picture

rdeboer
Location Melbourne
commented

Hi James,
Thanks for your feedback and patch.
Point taken.
Before applying your patch I'll probably extend on it a bit more, for backward compatibility and to avoid people ending up bewildered by invalid default domains.
Rik

rdeboer’s picture

rdeboer
Location Melbourne
commented
Assigned: Unassigned » rdeboer
Status: Needs review » Fixed

Hi James,
Have followed your advice.
In the latest check-in the global $cookie_domain is used, except when its value equals '.localhost', which according to my notes is invalid. So in that special case only, it will use the return value from ini_get('session.cookie_domain')
Rik

rdeboer’s picture

rdeboer
Location Melbourne
commented
Status: Fixed » Closed (fixed)

Released as part of 7.x-1.3, available now.