Update to Drupal 7.84. For more information, see https://www.drupal.o…

…rg/project/drupal/releases/7.84
pantheon-systems · Dec 13, 2021 · 6f2d085 · 6f2d085
1 parent 88b56f8
commit 6f2d085
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 7.84, 2021-12-13
+-----------------------
+- Hotfix for session cookie domain on www subdomains
+
 Drupal 7.83, 2021-12-01
 -----------------------
 - Initial support for PHP 8.1

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.83');
+define('VERSION', '7.84');
 
 /**
  * Core API compatibility.
@@ -834,6 +834,16 @@ function drupal_settings_initialize() {
     if (!empty($_SERVER['HTTP_HOST'])) {
       $cookie_domain = _drupal_get_cookie_domain($_SERVER['HTTP_HOST']);
     }
+
+    // Drupal 7.83 included a security improvement whereby www. is no longer
+    // stripped from the cookie domain. However, this can cause problems with
+    // existing session cookies whereby some users are left unable to login. In
+    // order to avoid that, use the cookie domain (including leading dot) as the
+    // session name when a www. subdomain is in use.
+    // @see https://www.drupal.org/project/drupal/issues/2522002
+    if (strpos($session_name, 'www.') === 0) {
+      $session_name = $cookie_domain;
+    }
   }
   // Per RFC 2109, cookie domains must contain at least one dot other than the
   // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.