Elusive login issue

Further evidence that this is the correct usage of the function is in the php documentation of setcookie.

If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).

That's the behaviour we are looking for so even if this isn't the end of the almighty bug its an approriate fix to this section of code. That said I think this should fix the problem.

+1

This works for me reliably on FF and Konquerer, although I was only able to recreate the bug with Konquerer. This is most likely due to FF dealing with the undefined cookie lifetime value one way, and Konquerer another. +1 for this.

+1. Apparently this effectively creates the same condition as setting session.cookie_lifetime to zero, which is what I had done on my sites to get rid of this issues successfully.

If this patch gets in doesn't it make the session.cookie_lifetime setting in settings.php irrelevant?

chx: webchick: please add a polished version of "foo.example.com can't clear cookies for .example.com so if you have both then set the session cookie domain to .example.com . Note that the code below does this for www.example.com"
chx: to settings.php above the example code
chx: also check whether 4.7 has this

Just jotting this down so I can get a patch rolled a bit later.

The wording for this actually comes from Crell, I just patch-ified it. :)

Small fix; we don't put double spaces between sentences.

Committed to CVS HEAD. Thanks.

So then this should be committed to 5.x as well, right?

Is it still RTBC for that?

Can we please have this committed and ready for a 5.2 release?

Committed to HEAD.

.. I meant 5

I hope this is not to presumptuous of me, please don't take my head off if it is, but I'm marking back as rtbc in hopes that it will be committed to the 4.7 branch (which committed the other recent patch involving login issues).

If you're gonna do that, you should change the version too. :)

Can I apply the patch at #12 to Drupal 5.1?
Will this become drupal 5.2?

So that, if I apply the patch, I will technically have a 5.2 installation right? no other fixes going into 5.2?

Thanks!
jacauc

You can apply the patch in #12 to a 5.1 install, yes, but no, that definitely will not mean you have a 5.2 installation -- 5.2 will encompass all of the changes made to the DRUPAL-5 branch in CVS since the 5.1 release. There are usually dozens of such fixes. See http://drupal.org/node/108345 for an example of all the fixes that went in between RC1 and RC2.

Thanks! :D

Just to recap, this patch has been successfully committed to HEAD and 5.x we're just waiting for 4.7.x and then this issue is closed (unless someone wants to port it to 4.6.x).

If you're suffering from this bug - just wait for the next release of the Drupal branch you're using and all will be resolved (hopefully).

Um. This patch doesn't "fix" anything. It just adds documentation to settings.php and a line to comment out if you're having this problem.

There's no reason to wait for the next release if you're having this problem, just add the ini_set line referenced by the patch.

Just to confirm this approach fixes a login problem with both 5.1 an 4.7.6 on my home development box. I couldn't get beyond the login page because no cookie was being set. I think the wording in settings.php might need expanded though.

In my case I have several development sites on subdomains:
site1.example.com:8090
site2.example.com:8090
site3.example.com:8090

In this case the actual domain is set via DynDNS, with each sub domain setup as a vhost in Apache, listening on port 8090.
From looking at the output from devel module:
sess_wrte: UPDATE sessions SET uid = 1, cache = 0, hostname = '192.168.0.1', etc

The hostname php is seeing is in fact the LAN IP address of my router, not even the IP of the machine the server is running on. I guess that's the problem with NAT :)

Setting the cookie domain manually, as per this patch, works:
ini_set('session.cookie_domain', '.site1.example.com');
Somehow it seems odd to do it this way, with the dot before the entire domain, but it works adn AFAIK it's to standard.

Hope this is helpful to someone.

Server info:
Apache/2.2.3 (Debian etch) PHP/5.2.0-8

Solution #28 also work for me. I've drupal 5.1, php 5.2, mysql 5.0 and DynDNS. After drupal installation I had "Access deny".

I added in my /srv/www/htdocs/drupal/sites/default/settings.php:
ini_set('session.cookie_domain', 'my.DynDNShostname.org');

and comment:
if (isset($_SERVER['HTTP_HOST'])) {
$domain = '.'. preg_replace('`^www.`', '', $_SERVER['HTTP_HOST']);
// Per RFC 2109, cookie domains must contain at least one dot other than the
// first. For hosts such as 'localhost', we don't set a cookie domain.
if (count(explode('.', $domain)) > 2) {
ini_set('session.cookie_domain', $domain);
}
}

no any patches.

Is it right solution?

The patch is further up this page romale! Comment#28 was just application of this patch and manual configuration of the cookie domain - which is exactly the solution the patch describes. My comment#28 was just adding information regarding DynDNS, NAT and routers, something I hadn't seen mentioned elsewhere.

applied to 4.7

Somehow it seems odd to do it this way, with the dot before the entire domain, but it works adn AFAIK it's to standard.

Cookie RFC says it

An explicitly specified [cookie] domain must always start with a dot.

adrinux might just have this issue too http://drupal.org/node/126340. In some situations port number ends up in cookie domain, which breaks cookies and they will never be sent back to server and so all the cookies fail and thus login fails.

Those interested in a follow-up, the most recent patch for #56357 significantly modifies the instructions added to settings.php by this issue.