function drupal_settings_initialize

Sets the base URL, cookie domain, and session name from configuration.

2 calls to drupal_settings_initialize()
SessionUnitTestCase::testSessionInitialization in modules/simpletest/tests/session.test
Unit test drupal_settings_initialize().
_drupal_bootstrap_configuration in includes/bootstrap.inc
Sets up the script environment and loads settings.php.

File

includes/bootstrap.inc, line 759

Code

function drupal_settings_initialize() {
    global $base_url, $base_path, $base_root;
    // Export these settings.php variables to the global namespace.
    global $databases, $cookie_domain, $conf, $installed_profile, $update_free_access, $db_url, $db_prefix, $drupal_hash_salt, $is_https, $base_secure_url, $base_insecure_url;
    $conf = array();
    if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) {
        include_once DRUPAL_ROOT . '/' . conf_path() . '/settings.php';
    }
    $is_https = drupal_is_https();
    if (isset($base_url)) {
        // Parse fixed base URL from settings.php.
        $parts = parse_url($base_url);
        if (!isset($parts['path'])) {
            $parts['path'] = '';
        }
        $base_path = $parts['path'] . '/';
        // Build $base_root (everything until first slash after "scheme://").
        $base_root = substr($base_url, 0, strlen($base_url) - strlen($parts['path']));
    }
    else {
        // Create base URL.
        $http_protocol = $is_https ? 'https' : 'http';
        $base_root = $http_protocol . '://' . $_SERVER['HTTP_HOST'];
        $base_url = $base_root;
        // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not
        // be modified by a visitor.
        if ($dir = rtrim(dirname($_SERVER['SCRIPT_NAME']), '\\/')) {
            $base_path = $dir;
            $base_url .= $base_path;
            $base_path .= '/';
        }
        else {
            $base_path = '/';
        }
    }
    $base_secure_url = str_replace('http://', 'https://', $base_url);
    $base_insecure_url = str_replace('https://', 'http://', $base_url);
    if ($cookie_domain) {
        // If the user specifies the cookie domain, also use it for session name.
        $session_name = $cookie_domain;
    }
    else {
        // Otherwise use $base_url as session name, without the protocol
        // to use the same session identifiers across HTTP and HTTPS.
        list(, $session_name) = explode('://', $base_url, 2);
        // HTTP_HOST can be modified by a visitor, but we already sanitized it
        // in drupal_settings_initialize().
        if (!empty($_SERVER['HTTP_HOST'])) {
            $cookie_domain = _drupal_get_cookie_domain($_SERVER['HTTP_HOST']);
        }
        // Drupal 7.83 included a security improvement whereby www. is no longer
        // stripped from the cookie domain. However, this can cause problems with
        // existing session cookies where some users are left unable to login. In
        // order to avoid that, prepend a leading dot to the session_name that was
        // derived from the base_url when a www. subdomain is in use.
        // @see https://www.drupal.org/project/drupal/issues/2522002
        if (strpos($session_name, 'www.') === 0) {
            $session_name = '.' . $session_name;
        }
    }
    // Per RFC 2109, cookie domains must contain at least one dot other than the
    // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
    if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
        ini_set('session.cookie_domain', $cookie_domain);
    }
    // To prevent session cookies from being hijacked, a user can configure the
    // SSL version of their website to only transfer session cookies via SSL by
    // using PHP's session.cookie_secure setting. The browser will then use two
    // separate session cookies for the HTTPS and HTTP versions of the site. So we
    // must use different session identifiers for HTTPS and HTTP to prevent a
    // cookie collision.
    if ($is_https) {
        ini_set('session.cookie_secure', TRUE);
    }
    $prefix = ini_get('session.cookie_secure') ? 'SSESS' : 'SESS';
    session_name($prefix . substr(hash('sha256', $session_name), 0, 32));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.