session out while page redirect
| Project: | Drupal |
| Version: | 5.0 |
| Component: | user system |
| Category: | bug report |
| Priority: | critical |
| Assigned: | vinoth321 |
| Status: | closed |
Jump to:
I had several Drupal sites in my test installation. The code base consisted of different versions (4.7, 5.0-rc1/rc2 and 5.0) and 5.0 with Postgresql . I decided to combine the code base using multi-site with Drupal 5.0. I also created a new database structure with separate tables for each site. After the initial installation and creation of the user-1 account, I could not log in to the system without using the replacement password feature. Note: the login did not fail with an error message unless I deliberately used a wrong password (or unintentionally used a wrong password :). If I supplied an invalid password or user name the error message would display.
I "fixed" the problem by deleting cookies with the same url name as the new sites.
I know my situation is fairly unique. But, I can imagine a scenario where a large site might go through some similar steps and hang all their users because of old cookies. Should Drupal use some mechanism to validate the session id in the cookie to stop this behavior?
~james
#1
an afterthought: Why would the password replacement or change password NOT invalidate the session saved in the cookie??
#2
OK: Some more tests yielded more information:
My testbed setup
Server Linux (Slackware 10.2)
PHP Version => 4.4.4
Apache 1.3.33
Drupal 5.0 clean - modules are in sites/all/modules But none are activated
Mysql 4.1.14
Drupal root directory is /opt/www/htdocs
contents of sites directory...
all/ drupal.bluewallgroup.com/ www.bluewallgroup.com/
default/ family.bluewallgroup.com/
my hosts are configured as named in the sites directory using Apache VirtualHost
each configured host has it's own separate database.
Here's the test...
login to drupal.bluewallgroup.com
HOSED!!!!!!
remove cookie bluewallgroup.com
login to drupal.bluewallgroup.com OK
logout
check cookies
no bluewallgroup.com
only drupal.bluewallgroup.com
>> visit www.bluewallgroup.com
creates cookie bluewallgroup.com
login to drupal.bluewallgroup.com
works ok
login to www.bluewallgroup.com OK
logout
login to drupal.bluewallgroup.com OK
logout
>> login to www.bluewallgroup.com OK
close browser w/session open
open browser
login to drupal.bluewallgroup.com
HOSED!!!!!!
login to family.bluewallgroup.com
HOSED!!!!!
remove cookie "bluewallgroup.com"
login to family.bluewallgroup.com OK
Questions: Why is a cookie "bluewallgroup.com" created when I have no host with that name specified anywhere (that I know of)
Why does an open session in "bluewallgroup.com" affect the other hosts
In my opinion this behavior is broken, any session id's should be created under cookies with the FQD of the host unless several hosts comprise a domain (ie. drupal.org, groups.drupal.org...). It would seem that the default configuration of Drupal would be to generate (and use) separate cookies for each FQD host, UNLESS configured to do so with a single-sign-on mechanism to handle instances like drupal.org.
I am bumping this to critical priority. If a workaround is available, or if I missed something in the installation process, please let me know. I don't know exactly how to fix this, So, I will leave it unassigned. If I can make some headway, I'll update with a patch.
~james
#3
More Testing...
Login to "host2.example.com"
Login OK
Logout OK
Login OK
Logout OK
Close Browser
Login to "host2.example.com" HOSED!!!!
Delete Cookie for "host2.example.com"
Login OK
Login to "www.example.com" OK
Logout OK
Login to "host2.example.com" HOSED
Delete cookie "example.com"
Login to "host2.example.com" OK
Logout OK
Login OK
Logout OK
Login to "www.example.com" OK
Logout OK
Login to "host2.example.com" HOSED!!!!
Delete "cookie example.com"
Login OK
Logout OK
Close browser
Open browser
Login to "host2.example.com" HOSED
Remove Cookie "host2.example.com"
Login OK
Close browser
Open browser
Access "host2.example.com" still logged in
/***************************************************************************************************************************************/
Overview of results...
www.example.com is not affected
www.example2.com is not affected
host2.example.com is affected by accessing www.example.com as an authenticated user and logging out.
host2.example.com is affected by logging in, then logging out and closing the browser.
Some questions:
This is terribly broken for multi-site setups with www, host1, host2 configurations.
I have started digging through the code. But, I'm still not able to find out what's going on :(
~james
#4
Another test - Login to "www.example.com" , "host2.example.com" and "www.example2.com"
Close browser while logged in
All OK and logged in except "host2.example.com" HOSED by cookie "example.com
#5
The user logs in, and is authenticated. But, is presented with the login form again.
OK, I see two things going on here:
I am digging into the Drupal session handling and user authentication code to try and sort this out.
Other that investigating to see if I have overlooked any configuration issues I am...
First, I am looking to force cookies holding session data to be named by the entire domain name of the Drupal host, and not the domain name only (this is only done for the host www). And have Drupal use the full domain name of the host in both reading and writing session data.
Second, I am looking to destroy session data if the user logs out of the Drupal host.
Third, I would like to drop any consideration of previous session data if the user must authenticate via the login form.
I am no expert on session handling (in general or in Drupal) and best practices here. So, any input/help would be appreciated ;)
~james
#6
Number 1 Solved: I further investigated and found the $base_url and cookie domain naming code in settings.php
After setting the base url and commenting out the cookie domain code in each settings.pgp, the cookies are named correctly.
Number 2: I can now login to the site. But, if I logout before closing the browser, I have to enter my login information twice. I hope this is some deeper configuration setting as well :)
More research...
~james
#7
Number two solved: I had enabled the "Front Page" module yesterday. After disabling it, logins work properly. For some reason, it made users repeat the login process again??
~james
#8
Hi friends,
I have a problem in session while redirecting the page after login.I cant able to get the session value while the page is redirect.
I created a page in drupal and put my existing signin php code in the body section and enabled a php code radio button, so that it will accept my php code directly.
After signin, i put the value in the session and redirect the page to index page ,but in that index page i didnt get the value from the session.
I dont know why it happens.
Anybody help me in this regards ASAP.
Thanx
vinoth.
#9
Hi friends,
I have a problem in session while redirecting the page after login.I cant able to get the session value while the page is redirect.
I created a page in drupal and put my existing signin php code in the body section and enabled a php code radio button, so that it will accept my php code directly.
After signin, i put the value in the session and redirect the page to index page ,but in that index page i didnt get the value from the session.
I dont know why it happens.
Anybody help me in this regards ASAP.
Thanx
vinoth.
#10
Hi friends,
I have a problem in session while redirecting the page after login.I cant able to get the session value while the page is redirect.
I created a page in drupal and put my existing signin php code in the body section and enabled a php code radio button, so that it will accept my php code directly.
After signin, i put the value in the session and redirect the page to index page ,but in that index page i didnt get the value from the session.
I dont know why it happens.
Anybody help me in this regards ASAP.
Thanx
vinoth.
#11
Hi friends,
I have a problem in session while redirecting the page after login.I cant able to get the session value while the page is redirect.
I created a page in drupal and put my existing signin php code in the body section and enabled a php code radio button, so that it will accept my php code directly.
After signin, i put the value in the session and redirect the page to index page ,but in that index page i didnt get the value from the session.
I dont know why it happens.
Anybody help me in this regards ASAP.
Thanx
vinoth.
#12
vinoth321, please do not spam the issue queue.