Contrib.social

Session name suffix is ignored if cookie_domain is set

Open on Drupal.org →
Created on 7 March 2025, about 1 month ago

Problem/Motivation

The name_suffix in the session configuration introduced via 🐛 Allow the session name suffix to be configurable Fixed doesn't take effect if the cookie_domain is manually defined.
This is problematic in complex setups in which the cookie should be shared between services on the same domain while still allowing to maintain separation.

Proposed resolution

Also add the configured name_prefix when cookie_domain is set.

Remaining tasks

  1. Write tests
  2. Write code
  3. Review

User interface changes

The session name suffix is now also applied in case a specific cookie domain is manually defined.

Introduced terminology

None

API changes

Return

Data model changes

None.

Release notes snippet

Feature request
Status

Active

Version

11.1 🔥

Component

base system

Created by

🇨🇭Switzerland das-peter

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @das-peter
  • Comment about 1 month ago
    cilefen

    This sounds like a bug.

  • Merge request !11411Resolve #3511586 "Session name suffix" → (Open) created by das-peter
  • Merge request !11412Draft: Resolve #3511586 "Session name suffix 10.5.x" → (Closed) created by das-peter
  • Pipeline finished with Failed
    about 1 month ago
    Total: 527s
    #442764
  • Comment about 1 month ago
    🇨🇭Switzerland das-peter

    @cilefen Thanks for chiming in. I was not entirely sure about the category - but given I couldn't find anything in the code mentioning a deliberate choice to not include the suffix I'd agree by now - this was just forgotten and hence feels more like a bug.

    I also found some possible related issues which could suffer from the same - or where files before the name suffix was added in the first place.
    I've referenced them now.

    Added tests fail without the new code and pass with the change.
    I've decided to add an extra test case because I wasn't sure if it is advisable to adjust / extend the existing test: testEnforcedSessionNameViaCookieDomain

  • Pipeline finished with Success
    about 1 month ago
    Total: 540s
    #442769
  • Comment about 1 month ago
    🇨🇭Switzerland das-peter
  • Comment about 1 month ago
    🇺🇸United States smustgrave

    Can the MRs be cleaned up some. Just need 1 against 11.x

  • Comment about 1 month ago
    🇮🇳India yogen.prasad

    I tried to test the MR by making the changes manually, It does not work in my case because $this->option['name_suffix'] always comes as a blank.

    Please let me know the right way of testing

  • Comment about 1 month ago
    🇨🇭Switzerland das-peter

    das-peter changed the visibility of the branch 3511586-session-name-suffix-10.5.x to hidden.

  • Comment about 1 month ago
    System Message
  • Comment about 1 month ago
    🇨🇭Switzerland das-peter

    @smustgrave I've hidden & closed the 10.5.x MR. However, I do not understand the current test failures for the 11.x branch. To me the failures seem unrelated:

    • Image Url Provider (Drupal\Tests\ckeditor5\FunctionalJavascript\ImageUrlProvider): ✘ Resize with Image·resize·is·enabled
    • Standard Performance (Drupal\Tests\standard\FunctionalJavascript\StandardPerformance): Different number of cache tags / checksum

    The changes introduced might make the session name longer - but none of these reported issues make sense in that regard.
    For them to be affected the tests would need to somehow have a cookie_domain and name_suffix set and run with a hardcoded session cookie - which doesn't seem remotely relevant to me.

    @yogen.prasad Did you actually set the session.storage.options name_suffix setting?

  • Comment about 1 month ago
    🇮🇳India yogen.prasad

    Thanks @des-peter for guiding me, services.yml contains the name_suffix under session.storage.option, After that it was working fine.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024