By tvst on

In 4.4.1 is hacked user.module, changing the setcookie. this doesn't work for me in 4.5 -- does it work for anybody else?

ps: i'm using the .htaccess that is included in drupal 4.5

Comments

tvst’s picture

tvst commented

cookies are not working in either IE6 or Firefox1PR. i haven't tested on any other browser.

heathen’s picture

heathen commented

Hmm, my drupal remembers me by default (for now i`m playing on local nix PC) and drupal.org remember me by default too... (i`m using Firefox 1PR)
but drupal.ru dont :)

matteo’s picture

matteo commented

'Remember me' option does not exist anymore.
I had the same problem, but it was not Drupal's fault.
In my case, it was a PHP.INI default which made the cookie expire:

<?
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 200000000
?>

Now it is working perfectly (on 4.5). One more thing that happened was that linux exausted /tmp space, and no sessions could be carried out, so logon was impossible.
I would also suggest to investigate wmy sessions are not carried out.
Hope these experiences can help...
Matteo

tvst’s picture

tvst commented

the htaccess that comes with drupal seems to take care of cookie_lifetime already. i really have no idea what is going on. is there some other place where cookie_lifetime can be altered? you mention php.ini, and i don't own a server so i'm not sure about what it is -- is it an apache for windows file? the ini extension makes me think it's for windows, but my site is on a linux server.

oh, maybe this will help: cookies ARE being sent to my computer, but they don't have the correct expiration value. the value i want is 15 days, and when i look at the cookie i see the value 0 (expire when browser closes).

also, if i do get cookies to work i am surely setting up a "remember me" option and posting it here. :)

matteo’s picture

matteo commented

I'm not an Apache expert, but I had to force this parameter in php.ini, since in .htaccess it was not taken into account.
Matteo

tvst’s picture

tvst commented

what exactly is this php.ini? i don't host my own files so i don't have access to apache configuration files, if that's what it is.

this cookie issue is really strange. it used to work before i upgraded to 4.5, so it must have something to do with the new user module, the new htaccess or common.inc, which are the only files that contain the work "cookie".

tvst’s picture

tvst commented

oops. double post.

tvst’s picture

tvst commented

FINALLY!!

in user.module, add this after the setcookie line:

setcookie("userinfo", session_id(), time() + 3600 * 24 * 15, $path);

you can change the 15 for however many days you like.

also in user.module, add this in user_logout(), after unset($user):

setcookie("userinfo"); // this will clear the cookie upon logout

in sessions.inc, add the following to the sess_open() function:

if ($userinfo = $_COOKIE['userinfo']) {
session_id($userinfo);
}

that's it

tvst’s picture

tvst commented

ok, this doesnt really work

bummer

dtan’s picture

dtan commented

A patch was submitted to cvs apparently. . .might want to check that out.

dtan
Personal Blog Site

tvst’s picture

tvst commented

thanks but i got it working. at user.module in the very end of user_authenticate(...):

setcookie("userinfo", session_id(), time() + 3600 * 24 * 15, "/");

and after "unset($user)" (in user_logout(...)) i added

setcookie("userinfo");

which clears the cookie once the user logs out. now the only thing i needed was to change the sess_read() function at session.inc to this one:

function sess_read($key) {
  global $user;

  $result = db_query_range("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s' AND u.status < 3", $key, 0, 1);

  if (!db_num_rows($result)) {
    // -------- i changed from here... ---------
    if (isset($_COOKIE['userinfo'])) {
      $result = db_query_range("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s' AND u.status < 3", $_COOKIE['userinfo'], 0, 1);
      $user = db_fetch_object($result);
      $result = db_query("SELECT u.* FROM {users} u WHERE u.uid = " . ($user? $user->uid : 0));
    }
    else $result = db_query("SELECT u.* FROM {users} u WHERE u.uid = 0");
    
    db_query("INSERT INTO {sessions} (uid, sid, hostname, timestamp) values(%s, '%s', '%s', %d)", ($user? $user->uid : 0), $key, $_SERVER["REMOTE_ADDR"], time());
   // ---------- ...to here -------------
  }

  $user = db_fetch_object($result);
  $user = drupal_unpack($user);
  $user->roles = array();

  $result = db_query("SELECT r.rid, r.name FROM {role} r INNER JOIN {users_roles} ur ON ur.rid = r.rid WHERE ur.uid = %d", $user->uid);

  while ($role = db_fetch_object($result)) {
    $user->roles[$role->rid] = $role->name;
  }

  return !empty($user->session) ? $user->session : '';
}

this checks for the user cookie and fetches user data from the db. now the last step was to fix my htaccess file, since i'm using apache2 (this last step is described in the htaccess itself).

tvst’s picture

tvst commented

when the user tries to edit their own information it would be good if drupal would check whether a user is being remembered or if they logged in. if they hadn't logged in then they'd be asked for a password.

this would keep the "remember me" hack more secure. does anyone have ideas on how to implement this?

anisotropic’s picture

anisotropic commented

drupal login persistence hack requirements

- alter user_login to do the right thing and set the right cookie

- alter user_edit_form to add checkbox 'remember me?'
this allows the user to manage setting globally

- alter user_block to add 'remember me?' checkbox on login
this allows user to set option on login

- alter user_admin_account to allow admins to configure persistent
login cookies so as to control things like cookie timeout,
and whether persistent cookies is possible at all:

Cookie Expires: Never
Set # of days
Always

- alter user table with an INT 14 column that contains the number
of days the cookie should be set for:
0 means expire immediately
-1 means never expire
any other number ( within some range? 2 - 200? ) is calculated to set
the number of seconds / minuates or whatever param setcookie takes...

- alter user_logout to unset the cookie when an explicit logout is triggered

If I have some time I might even implement this for 4.5 as a user.module fork

life is too short for law & order re-runs