Commit 20619e08 authored by alexpott's avatar alexpott

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain...

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains
parent d47bd72b
...@@ -129,12 +129,6 @@ protected function getCookieDomain(Request $request) { ...@@ -129,12 +129,6 @@ protected function getCookieDomain(Request $request) {
} }
else { else {
$host = $request->getHost(); $host = $request->getHost();
// Strip www. from hostname.
if (strpos($host, 'www.') === 0) {
$host = substr($host, 4);
}
// To maximize compatibility and normalize the behavior across user // To maximize compatibility and normalize the behavior across user
// agents, the cookie domain should start with a dot. // agents, the cookie domain should start with a dot.
$cookie_domain = '.' . $host; $cookie_domain = '.' . $host;
......
...@@ -51,7 +51,7 @@ public function testGeneratedCookieDomain($uri, $expected_domain) { ...@@ -51,7 +51,7 @@ public function testGeneratedCookieDomain($uri, $expected_domain) {
public function providerTestGeneratedCookieDomain() { public function providerTestGeneratedCookieDomain() {
return [ return [
['http://example.com/path/index.php', '.example.com'], ['http://example.com/path/index.php', '.example.com'],
['http://www.example.com/path/index.php', '.example.com'], ['http://www.example.com/path/index.php', '.www.example.com'],
['http://subdomain.example.com/path/index.php', '.subdomain.example.com'], ['http://subdomain.example.com/path/index.php', '.subdomain.example.com'],
['http://example.com:8080/path/index.php', '.example.com'], ['http://example.com:8080/path/index.php', '.example.com'],
['https://example.com/path/index.php', '.example.com'], ['https://example.com/path/index.php', '.example.com'],
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment