function SessionConfiguration::getCookieDomain

Same name in other branches
  1. 9 core/lib/Drupal/Core/Session/SessionConfiguration.php \Drupal\Core\Session\SessionConfiguration::getCookieDomain()
  2. 8.9.x core/lib/Drupal/Core/Session/SessionConfiguration.php \Drupal\Core\Session\SessionConfiguration::getCookieDomain()
  3. 10 core/lib/Drupal/Core/Session/SessionConfiguration.php \Drupal\Core\Session\SessionConfiguration::getCookieDomain()

Return the session cookie domain.

The Set-Cookie response header and its domain attribute are defined in RFC 2109, RFC 2965 and RFC 6265 each one superseding the previous version.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The request.

Return value

string|null The session cookie domain, or NULL if the calculated value is invalid.

See also

http://tools.ietf.org/html/rfc2109

http://tools.ietf.org/html/rfc2965

http://tools.ietf.org/html/rfc6265

1 call to SessionConfiguration::getCookieDomain()
SessionConfiguration::getOptions in core/lib/Drupal/Core/Session/SessionConfiguration.php
Returns a list of options suitable for passing to the session storage.

File

core/lib/Drupal/Core/Session/SessionConfiguration.php, line 133

Class

SessionConfiguration
Defines the default session configuration generator.

Namespace

Drupal\Core\Session

Code

protected function getCookieDomain(Request $request) {
    if (isset($this->options['cookie_domain'])) {
        $cookie_domain = $this->options['cookie_domain'];
    }
    else {
        $host = $request->getHost();
        // To maximize compatibility and normalize the behavior across user
        // agents, the cookie domain should start with a dot.
        $cookie_domain = '.' . $host;
    }
    // Cookies for domains without an embedded dot will be rejected by user
    // agents in order to defeat malicious websites attempting to set cookies
    // for top-level domains. Also IP addresses may not be used in the domain
    // attribute of a Set-Cookie header. IPv6 addresses will not pass the first
    // test, so it's acceptable to bias the second test to IPv4.
    if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
        return $cookie_domain;
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.