session.cookie_domain

[noraj]

If session.cookie_domain = is empty it triggers a fail and the description is:

It is recommended that you set the default domain for cookies.

AFAIK if none is provided it will use the current hostname (https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-domain).

Bit is seems that cookie_domain is used when you have multiple sub-domains so that the cookie can be shared amogn several sub-domains http://www.freekb.net/Article?id=806#Multiple%20domains

Multiple domains

By default, PHP is configured so that sessions are unique to a domain. For example, if a session is started on www.example.com, the session would not be valid for sso.example.com, and vice versa. If you have two or more domains, and you want a session created on one domain to be valid for another domain, in your php.ini file, set the session.cookie_domain directive to exclude the domain prefix (www, sso, et cetera).

session.cookie_domain = ".freekb.net"

So enabling it this behavior make the application less secure as it increase the attack surface and increase the risk of session stealing because of possible sub-domaine takeovers https://programmierfrage.com/items/how-can-php-session-cookie-domain-be-secure

IMO the check should be the exact opposite