Commit 20619e08 authored by alexpott's avatar alexpott

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain...

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains
parent d47bd72b
......@@ -129,12 +129,6 @@ protected function getCookieDomain(Request $request) {
}
else {
$host = $request->getHost();
// Strip www. from hostname.
if (strpos($host, 'www.') === 0) {
$host = substr($host, 4);
}
// To maximize compatibility and normalize the behavior across user
// agents, the cookie domain should start with a dot.
$cookie_domain = '.' . $host;
......
......@@ -51,7 +51,7 @@ public function testGeneratedCookieDomain($uri, $expected_domain) {
public function providerTestGeneratedCookieDomain() {
return [
['http://example.com/path/index.php', '.example.com'],
['http://www.example.com/path/index.php', '.example.com'],
['http://www.example.com/path/index.php', '.www.example.com'],
['http://subdomain.example.com/path/index.php', '.subdomain.example.com'],
['http://example.com:8080/path/index.php', '.example.com'],
['https://example.com/path/index.php', '.example.com'],
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment