Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain...

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains

core/lib/Drupal/Core/Session/SessionConfiguration.php

@@ -129,12 +129,6 @@ protected function getCookieDomain(Request $request) {
     }
     else {
       $host = $request->getHost();
-
-      // Strip www. from hostname.
-      if (strpos($host, 'www.') === 0) {
-        $host = substr($host, 4);
-      }
-
       // To maximize compatibility and normalize the behavior across user
       // agents, the cookie domain should start with a dot.
       $cookie_domain = '.' . $host;

core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php

@@ -51,7 +51,7 @@ public function testGeneratedCookieDomain($uri, $expected_domain) {
   public function providerTestGeneratedCookieDomain() {
     return [
       ['http://example.com/path/index.php', '.example.com'],
-      ['http://www.example.com/path/index.php', '.example.com'],
+      ['http://www.example.com/path/index.php', '.www.example.com'],
       ['http://subdomain.example.com/path/index.php', '.subdomain.example.com'],
       ['http://example.com:8080/path/index.php', '.example.com'],
       ['https://example.com/path/index.php', '.example.com'],