- Patch #56357 by John Albin, alienbrain, moshe, etc: fixed more cookie domain problems.

includes/bootstrap.inc

@@ -256,13 +256,14 @@ function drupal_unset_globals() {
 }
 
 /**
- * Loads the configuration and sets the base URL correctly.
+ * Loads the configuration and sets the base URL, cookie domain, and
+ * session name correctly.
  */
 function conf_init() {
   global $base_url, $base_path, $base_root;
 
   // Export the following settings.php variables to the global namespace
-  global $db_url, $db_prefix, $conf, $installed_profile;
+  global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;
   $conf = array();
 
   include_once './'. conf_path() .'/settings.php';
@@ -290,6 +291,31 @@ function conf_init() {
       $base_path = '/';
     }
   }
+
+  if ($cookie_domain) {
+    // If the user specifies the cookie domain, also use it for session name.
+    $session_name = $cookie_domain;
+  }
+  else {
+    // Otherwise use $base_url for session name.
+    $session_name = $base_url;
+    // We try to set the cookie domain to the hostname.
+    if (!empty($_SERVER['HTTP_HOST'])) {
+      $cookie_domain = $_SERVER['HTTP_HOST'];
+    }
+  }
+  // Strip leading periods, www., and port numbers from cookie domain.
+  $cookie_domain = ltrim($cookie_domain, '.');
+  if (strpos($cookie_domain, 'www.') === 0) {
+    $cookie_domain = substr($cookie_domain, 4);
+  }
+  $cookie_domain = '.'. array_shift(explode(':', $cookie_domain));
+  // Per RFC 2109, cookie domains must contain at least one dot other than the
+  // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
+  if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
+    ini_set('session.cookie_domain', $cookie_domain);
+  }
+  session_name('SESS'. md5($session_name));
 }
 
 /**

sites/default/settings.php

@@ -137,27 +137,15 @@
 ini_set('url_rewriter.tags',        '');
 
 /**
- * We try to set the correct cookie domain.
- */
-if (isset($_SERVER['HTTP_HOST'])) {
-  $domain = '.'. preg_replace('`^www\.`', '', $_SERVER['HTTP_HOST']);
-  // Per RFC 2109, cookie domains must contain at least one dot other than the
-  // first. For hosts such as 'localhost', we don't set a cookie domain.
-  if (count(explode('.', $domain)) > 2) {
-    ini_set('session.cookie_domain', $domain);
-  }
-}
+ * Drupal automatically generates a unique session cookie name for each site
+ * based on on its full domain name. If you have multiple domains pointing at
+ * the same Drupal site, you can either redirect them all to a single
+ * domain (see comment in .htaccess), or uncomment the line below and specify
+ * their shared base domain. Doing so assures that users remain logged in as they
+ * cross between your various domains.
+*/
 
-/**
- * On some sites, multiple domains or subdomains may point to the same site.
- * For instance, example.com may redirect to foo.example.com. In that case,
- * the browser may confuse the cookies between the two domains, resulting in
- * an inability to log in. In that case, uncomment the line below and set
- * it to the more generic domain name. For instance, .example.com is more
- * generic than .foo.example.com. Remember the leading period on the domain
- * name, even if you wouldn't type it in your browser.
- */
-#ini_set('session.cookie_domain', '.example.com');
+#$cookie_domain = 'example.com';
 
 /**
  * Variable overrides: