Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain...

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain...
20619e08 · Alex Pott · d47bd72b · 20619e08 · 20619e08
Commit 20619e08 authored 9 years ago by Alex Pott
--- a/core/lib/Drupal/Core/Session/SessionConfiguration.php
+++ b/core/lib/Drupal/Core/Session/SessionConfiguration.php
@@ -129,12 +129,6 @@ protected function getCookieDomain(Request $request) {
    }
    else {
      $host = $request->getHost();
-
-      // Strip www. from hostname.
-      if (strpos($host, 'www.') === 0) {
-        $host = substr($host, 4);
-      }
-
      // To maximize compatibility and normalize the behavior across user
      // agents, the cookie domain should start with a dot.
      $cookie_domain = '.' . $host;

--- a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
@@ -51,7 +51,7 @@ public function testGeneratedCookieDomain($uri, $expected_domain) {
  public function providerTestGeneratedCookieDomain() {
    return [
      ['http://example.com/path/index.php', '.example.com'],
-      ['http://www.example.com/path/index.php', '.example.com'],
+      ['http://www.example.com/path/index.php', '.www.example.com'],
      ['http://subdomain.example.com/path/index.php', '.subdomain.example.com'],
      ['http://example.com:8080/path/index.php', '.example.com'],
      ['https://example.com/path/index.php', '.example.com'],