Contrib.social

Allow configurable cookie prefix

Open on Drupal.org →
Created on 5 December 2011, over 13 years ago
Updated 31 January 2023, about 2 years ago

The hardcoded cookie prefix SESS should be available in settings.php as a configurable string. When using multiple Drupal sites under a single domain, it can be useful to configure this name for upstream processing by a reverse proxy.

The current convention is SESS for HTTP connections and SSESS for secure-only cookies. This patch only changes the SESS portion and keeps the convention of adding an initial S for HTTPS connections.

Feature request
Status

Needs work

Version

10.1

Component
Base 

Last updated about 6 hours ago

Created by

🇺🇸United States erikwebb

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

  • Needs framework manager review

    It is used to alert the framework manager core committer(s) that an issue significantly impacts (or has the potential to impact) multiple subsystems or represents a significant change or addition in architecture or public APIs, and their signoff is needed (see the governance policy draft for more information). If an issue significantly impacts only one subsystem, use Needs subsystem maintainer review instead, and make sure the issue component is set to the correct subsystem.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago
    🇺🇸United States smustgrave

    Tagging for framework manager reviews for their thoughts.

    Either way think this will require a test case for the new feature.

    Also MR has failures.

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.1 & MySQL 5.7
    last update almost 2 years ago
    29,332 pass, 20 fail
  • Comment almost 2 years ago
    🇸🇰Slovakia poker10

    Thanks for working on this @Darren Oh!

    I would say we need to split the patch, because it seems to me that it is combining two separate changes:

    Adding a cookie prefix:

    @@ -66,13 +67,14 @@ public function getOptions(Request $request) {
   protected function getName(Request $request) {
+    $prefix = Settings::get('session_cookie_prefix', '');
     ...
-    $prefix = $request->isSecure() ? 'SSESS' : 'SESS';
+    $prefix .= $request->isSecure() ? 'SSESS' : 'SESS';

    Fixing a problem with overwriting site cookies:

    @@ -102,6 +104,10 @@ protected function getUnprefixedName(Request $request) {
+    // Add hash salt to prevent sites on shared domains with separate databases
+    // from overwriting each other's cookies.
+    $session_name .= Settings::get('hash_salt', '');

    I think the second change (seems like a bug-fix?) should be in a separate issue. Or the issue title + summary needs to be updated and explained why there are these two changes together. Thanks!

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.1 & MySQL 5.7
    last update almost 2 years ago
    29,395 pass, 20 fail
  • Comment almost 2 years ago
    🇺🇸United States darren oh Lakeland, Florida
  • Comment over 1 year ago
    🇺🇸United States darren oh Lakeland, Florida

    poker10, I have updated the issue description. Both changes are addressing the same bug. The configurable prefix was the original solution, but it requires site owners to take action to prevent the bug. I added the database hash as a more reliable solution that does not require action from site owners. I believe both solutions are required because the issue also affects reverse proxies that filter cookies, and the database hash does not help with that.

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.2 & MySQL 8
    last update over 1 year ago
    30,025 pass, 20 fail
  • Comment over 1 year ago
    🇺🇸United States darren oh Lakeland, Florida
  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago
    🇺🇸United States darren oh Lakeland, Florida
  • Status changed to Needs work over 1 year ago
  • Comment over 1 year ago
    🇺🇸United States DamienMcKenna NH, USA

    This could be tested by leaving the prefix blank, logging into the site, changing the prefix, reloading the site and confirming that the session is no longer logged in, then removing the prefix and confirming the original session is logged in again; might be a little fiddly to do, but it'd be simpler than trying to create concurrent installs of core.

    And I suspect the test coverage failures are related to the addition of the hash_salt setting to the session name, maybe this should be optional and it should just use the prefix?

  • Comment 27 days ago
    🇬🇧United Kingdom sadikyalcin

    What's the state with this? I see the last activity was 2 years ago. I've got the same issue right now. This change should be in core IMO.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024