Skip to content
Snippets Groups Projects
Commit 20619e08 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain...

Issue #2522002 by pwolanin, fgm, znerol: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains
parent d47bd72b
No related branches found
No related tags found
No related merge requests found
......@@ -129,12 +129,6 @@ protected function getCookieDomain(Request $request) {
}
else {
$host = $request->getHost();
// Strip www. from hostname.
if (strpos($host, 'www.') === 0) {
$host = substr($host, 4);
}
// To maximize compatibility and normalize the behavior across user
// agents, the cookie domain should start with a dot.
$cookie_domain = '.' . $host;
......
......@@ -51,7 +51,7 @@ public function testGeneratedCookieDomain($uri, $expected_domain) {
public function providerTestGeneratedCookieDomain() {
return [
['http://example.com/path/index.php', '.example.com'],
['http://www.example.com/path/index.php', '.example.com'],
['http://www.example.com/path/index.php', '.www.example.com'],
['http://subdomain.example.com/path/index.php', '.subdomain.example.com'],
['http://example.com:8080/path/index.php', '.example.com'],
['https://example.com/path/index.php', '.example.com'],
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment