Drupal Release: 7.85

TL;DR

Drupal 7.85 is a minor security update that fixes an issue with session cookies when different base URLs share the same domain. This release ensures proper session handling in multi-site configurations, improving security and preventing potential session conflicts. Site administrators should update immediately to maintain secure session management.

Highlight of the Release

• Fixed a session cookie handling issue when different base URLs share the same domain
• Improved security for multi-site Drupal installations
• Addressed issue #2522002 with community collaboration

Migration Guide

No specific migration steps are required for this update. This is a standard Drupal 7.x minor version update that follows the usual update process:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Replace the existing Drupal core files with the new 7.85 release
4. Run the update script (update.php)
5. Take the site out of maintenance mode

No database schema changes are included in this release, so the update process should be straightforward.

Upgrade Recommendations

Priority: High

All Drupal 7 sites should upgrade to version 7.85 as soon as possible, especially those running multi-site configurations or sites with different base URLs sharing the same domain.

This update addresses a security-related issue with session cookie handling that could potentially affect site security. As with any security update, prompt application is recommended.

Drupal 7 will reach end-of-life on January 5, 2025. Site owners should also be planning their migration to Drupal 9 or 10 as part of their long-term strategy.

Bug Fixes

Session Cookie Handling Fix

This release addresses issue #2522002 which resolves a problem with session cookies when different base URLs share the same domain. The fix ensures that:

• Session cookies are properly managed in multi-site configurations
• Sites with different base URLs but the same domain maintain proper session isolation
• Potential session conflicts between related sites are prevented

This fix was a collaborative effort with contributions from multiple community members including mcdruid, crystaldawn, izmeez, benjifisher, mforbes, Fabianx, and andrew.green.

New Features

No new features were introduced in this release. Drupal 7.85 is focused on security and bug fixes rather than new functionality.

Security Updates

Session Cookie Security Enhancement

This release improves the security of session handling in Drupal 7 by fixing how session cookies are managed when different base URLs share the same domain. While not classified as a critical security vulnerability, this update helps prevent potential session-related security issues that could occur in multi-site configurations.

The fix ensures proper session isolation between sites, reducing the risk of unauthorized access or session hijacking in certain multi-site configurations.

Performance Improvements

No specific performance improvements were included in this release. The changes focus on security and bug fixes related to session cookie handling.

Impact Summary

Drupal 7.85 delivers an important fix for session cookie handling in multi-site configurations. This update specifically addresses situations where different base URLs share the same domain, ensuring proper session management and security.

The impact is primarily focused on improved security and reliability for multi-site Drupal installations. Site administrators will benefit from more consistent session handling, while end users will experience fewer session-related issues.

This release demonstrates the continued maintenance and security support for Drupal 7, even as it approaches its end-of-life date in January 2025. The collaborative nature of the fix, with multiple community contributors, highlights the strength of the Drupal community in maintaining this legacy version.