From d5e2356e2d1d9f6e098b9959efe5a4ae2be1d02f Mon Sep 17 00:00:00 2001
From: Pantheon Automation <bot@getpantheon.com>
Date: Mon, 13 Dec 2021 16:07:27 +0000
Subject: [PATCH] Update to Drupal 7.84. For more information, see
 https://www.drupal.org/project/drupal/releases/7.84

---
 CHANGELOG.txt          |  4 ++++
 includes/bootstrap.inc | 12 +++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index b1ea76162e..6f7bbdf4cb 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 7.84, 2021-12-13
+-----------------------
+- Hotfix for session cookie domain on www subdomains
+
 Drupal 7.83, 2021-12-01
 -----------------------
 - Initial support for PHP 8.1
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 7d32f04bc3..e2f351ebd5 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.83');
+define('VERSION', '7.84');
 
 /**
  * Core API compatibility.
@@ -834,6 +834,16 @@ function drupal_settings_initialize() {
     if (!empty($_SERVER['HTTP_HOST'])) {
       $cookie_domain = _drupal_get_cookie_domain($_SERVER['HTTP_HOST']);
     }
+
+    // Drupal 7.83 included a security improvement whereby www. is no longer
+    // stripped from the cookie domain. However, this can cause problems with
+    // existing session cookies whereby some users are left unable to login. In
+    // order to avoid that, use the cookie domain (including leading dot) as the
+    // session name when a www. subdomain is in use.
+    // @see https://www.drupal.org/project/drupal/issues/2522002
+    if (strpos($session_name, 'www.') === 0) {
+      $session_name = $cookie_domain;
+    }
   }
   // Per RFC 2109, cookie domains must contain at least one dot other than the
   // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.