According to the PHP docs
(http://php.net/manual/en/session.configuration.php#ini.session.cookie-domain),
session.cookie_domain's default value is set to the domain that
generated the cookie.
Default is none at all meaning the host name of the server which
generated the cookie according to cookies
Is there any update on this request?
I can see quite a few security concerns that could be mitigated if we
could enable and disable certain functions at the virtual host level.
nginx paired with php-fpm appears to already work this way. For
consistency purposes, shouldn't this be implemented in
