Closed (fixed)
Project:
Boost
Version:
7.x-1.0-beta2
Component:
Cookie issues
Priority:
Normal
Category:
Support request
Reporter:
Created:
9 Oct 2012 at 18:19 UTC
Updated:
21 Feb 2019 at 00:24 UTC
Jump to comment: Most recent
Drupal 7.15, boost 7.x-1.0-beta2, apache 1.3/2, php5 cgi, virtualhost.
Double cheked all the settings, configs, file perms, .htaccess etc etc. Not logged in during tests.
Only the 1st page accessed per session goes to cache, the others are not saved (no error or warning in watchdog, even with debug on). On the second I get
[is_cacheable] => 1
)
When I turn off cookies, all cache pages are generated and saved (or when wget --no-cookies crawls the website).
And I get:
[is_cacheable] => 1
[header_info] => Array
(
[status] => 200 OK
[status-number] => 200
.....
Any idea?
Comments
Comment #1
Anonymous (not verified) commentedBoost only works when anonymous users surf the site, so if you are logged in then you would have a DRUPAL_UID cookie which would stop boost working. The wget is interesting though since wget shouldn't be logged in. It sounds rather like you have a module sending a DRUPAL_UID to anonymous users (I use wget on a cron job every day to freshen the cache), use the contact form by clicking on my name as I'd like to see the site and URL just to check a few things.
Thank you
Philip.
Comment #2
casta commentedThanks for the info. I did some more testing.
When user is not logged and cookies are enabled, the 2nd visited page is not saved in cache and boost debug returns:
At this moment there is a session registerd, with uid = 0 (anonymous) and no BOOST_COOKIE defined.
I guess that the [is_cacheable] => FALSE is triggered in boost.module R275
and in includes/session.inc
So the cause of the problem may be the following: in my setup/drupal even anonymous users get a session (no idea why), and therefore session.inc flags the current page as non cacheable.
Comment #3
Anonymous (not verified) commentedI've had a look at the site, in particular the cookie being set. The rewrite rules for boost look for a cookie DRUPAL_UID which is not set by an anonymous user in my testing. The interesting thing is that whichever page you go to first, is cached, click on any link though and the site attempts to establish a session cookie which is not normal drupal behaviour and testing on several personal sites with boost installed, (7.x branch), it's not boost.
I suspect you have another module that is establishing the session and triggering the code segment that you found above. (well done). I'd recommend going through your modules and trying to work out which one it is, I've been using lynx to test as it's very obvious when the session cookie pops up. I've also chosen different entry points into the website and the same thing happens e.g. entering through the contact link and then going elsewhere, the second page always requests a session cookie.
I've ruled out the comment and tracker modules in core. I would initially rule out php.ini and session.auto_start (simple phpinfo should show that up) and then also look for any hooks. You should have
php_flag session.auto_start offin your root .htaccess file by default anyway. I'm closing this as it appears to not be boost setting this session.
Comment #4
nicolas bouteille commentedOk, I've got exactly the same problem.
Even though this is not a bug from Boost, it definitely is an « still open » « support request » :)
If anybody has any clue about what or which module is causing the cookie and thus Boost to consider the page as not cacheable I would be glad to learn about it !
Nick
Comment #5
nicolas bouteille commentedUpdating to support request and re-opening it
Comment #6
nicolas bouteille commentedFor what it's worth, I've isolated the cookie that is preventing Boost from caching the page :
Name : SESS49960de5880e8c687434170f6476605b
Content : zAP9XcfrG4AWf08BfXqiQhwqPhaScvGxS1g_vjUYUGc
Every time I visit a new page, the cookie is recreated.
Comment #7
nicolas bouteille commentedAlright I think I found the d*** module... Text Size « This module display a adjustable text size changer or a zoom function on the page for a better web accessibility. » It seems that in order to keep the selected size for anonymous users it needs to add a SESSION cookie to them so it breaks boost...
Maybe what i can do is try for the cookie to be generated only if the user chooses to have custom text size. For now the cookie is created anyway.
Comment #8
nicolas bouteille commentedHere's a post about Text Size setting cookies and how to disable them
http://drupal.org/node/1041878
Comment #9
Anonymous (not verified) commentedSorry, stepped away for a bit, but see that you've found the problem. The general overall picture is that we can only work within the scope of Drupal's login mechanism and if someone wants to add a module to do something custom, then they should use a differing cookie so that anonymous users are not assigned a login id, otherwise basically boost cannot work and also it does somewhat break the strict Drupal separation between anonymous and authenticated users which may also be a security issue with assigned roles.
I would submit a bug report to the module authors, pointing the above out.
Comment #10
nicolas bouteille commenteddone.
Comment #11
bebelg commentedI get the same problem and I use the module text size.
Now I have to find which one of my module is using this f*** cookies
Comment #12
derek.adams commentedI ran into the same problem with the "Administration menu" module. If you navigate to 'admin/config/administration/admin_menu' and choose 'performance' in the tabs at the left, then uncheck 'Cache menu in client-side browser' and save the settings, the caching is no longer skipped.
Comment #13
jvsteiner commentedHi, I've noticed an errant session cookie on my production site. I recently implemented custom ordering of my front page content using views: ie created a frontpage view, and set it to be the default front page in "Site configuration". When I do this, drupal sets a session cookie which prevents the boost from cacheing. When I set it back to the default "/" I get hits again.
Comment #14
Anonymous (not verified) commentedDrupal is unlikely to set a session cookie (which would be DRUPAL_UID) and this means that you have an errant module that is using Drupal Core sessions, (not allowed) to implement some kind of function or block. You need to track down the module and then take it up with whomever developed the module, they need to set their own cookie specific to their module.
Comment #15
jvsteiner commentedHi Philip,
after I posted, I was thinking the same thing. You are correct, I found the offending module. Thanks for your quick response!
Comment #16
voughndutch commentedHello I am having similar issues. when i log in, try to clear cache, add content, or even update php i get internal server errors or page not found errors. i figured it might be a session cookie issue because im an authenticated user any hits on finding the offending module?
Comment #17
Anonymous (not verified) commentedThis does not sound like the same problem. It sounds more like a permissions problem if you are getting internal server error. Please open another bug and post more details of the errors you are receiving since this thread is closed.
Comment #18
leewoodman commentedJvsteiner...which module was causin your issue?
Comment #19
bmunslow commentedHi,
Just in case this helps someone.
I have been pulling my hairs for a few hours until I discovered the following modules were setting a session cookie even for anonymous users, which prevented Boost from caching the page:
filter_harmonizer
global_filter
Disabling them got boost caching pages normally again.
Comment #20
Anonymous (not verified) commentedWhat would probably also hep is pointing out to the module maintainers that the login cookie is only for drupal's core use and should either be removed or set to a valid value (the id of the user), if they need a session function then they should use their own cookie. Even setting Drupal_UID=0 or -1 is not permitted but affects both the core drupal cache and disables boost.
Comment #21
TDBA commentedI have the same problem at the moment. In my case the session cookie set is:
Name: SESS08ba59d45e9592e4f86d7bb2c17da958
value: giSdE2UFNAX0zbQSWNP0ygi3eInLar4v4qCAsUIhsc0
My problem is that it's not a module that is doing that but a custom template/theme.
Isn't it possible somehow to get boost working even with just that simple session cookie (not a Drupal UID cookie)?
Comment #22
Anonymous (not verified) commentedBoost is only disabled if DRUPAL_UID is set, therefore if you just have a session then there is something incorrect with your configuration. There is a difference between a Drupal Core session (DRUPAL_UID) and a php session (which you have), which is probably not explained very well above. the .htaccess rules only work if DRUPAL_UID is not set to any value (even 0, -1, null or false), the cookie must not exist..
Comment #23
TDBA commentedHmm that is even stranger because I have the exact same behavior on the web site I am currently building.
Loading the site for the first time anonymously and the page get's cached. Clicking on a link and going to another page, that one does not get cached and I can find two cookies:
- has_js=1
- The mentioned HTTP session cookie
If I manually delete the session cookie and load another page or reload the same page, that page get's cached.
So as far as I can deduct the cookies does actively influence the caching (at least in my case).
Comment #24
Anonymous (not verified) commentedmessage me privately with the site's location as I would like to see this as it is extremely unlikely that the session cookie is relevant, since DRUPAL_UID is hard coded in to the .htaccess file.
Comment #25
Anonymous (not verified) commentedwell the good news is that the .htaccess rules are working, the bad news is that for some reason the main boost functions that should only be disable by DRUPAL_UID are being disabled by the PHP session cookie. I can confirm this as deleting the session cookie, hitting reload, creates the cache and then .htaccess serves the page for an hour and the folder permissions must be set correctly as I can visit pages such as http://example.com/cache/normal/exmple.com/personal_.html correctly if I type the url into the browser.
What I believe is happening is that looking at boost.module there is a line
|| !empty($_SESSION['messages']) // do not cache pages with messagesand I strongly suspect that your template may be setting a message (whether it be null or not). On this side of the server this would be impossible to see but you should be able to place a little PHP into a page to display it and then modify the boost.module if statement to ignore the value.
Comment #26
TDBA commentedFirst of all thank you for personally looking into this!
Good idea but it sadly didn't work.
I deleted the or statement from the boost.module and I also searched through all of the template files for the session messages.
Nothing found and the behavior still exists even with the modified boost.module.
It would really help if I would know what generated that HTTP session.
I contacted the makers of that template already but no response as of yet.
Still what inside of boost prevents the caching when such a cookie exists?
Comment #27
Anonymous (not verified) commentedTherein lies the problem there is nothing in boost that should be affected by a Session cookie, except for the "MESSAGE' section
where you have just removed the MESSAGES sections I would suggest checking the values of $_boost['cache_this'] and $_boost['is_cacheable'] before the block and seeing if you can backtrace the trigger, I would be very interested to see what the trigger is as I can certainly see that the cache is being created and served at least once, there isn't anything in your .htaccess that could cause a skipping of the rules based on the existence of a cookie rather than the specific DRUPAL_UID cookie ?
Comment #28
TDBA commentedI placed a
exactly below the code block you inserted.
Next to other content I get
at all times so after loading the page for the first time (without the cookie) and after subsequent loading (with the cookie).
I do not see "cache_this" so I am assuming it's never been set (unless I do so forcefully).
Regarding the .htaccess file: It's a fresh file from a fresh Drupal download.
I only added two things:
- The password protection (as the last entry)
- the boost code generated from the system at the right position within the file.
Comment #29
Anonymous (not verified) commentedcache_this is only ever set to FALSE, I don't think that that is the problem though. The code block is the main block in PHP which corresponds to the .htaccess rules so it would be logical to assume that the session cookie was triggering something in there and it would be helpful to know what (except that it appears that the rules are passed).
It is normal to need to refresh the page to get the cached version, first time it hits the page and saves it out, second time .htaccess takes over and pass the html back. In your case it appears that the session cookie needs to be deleted for all subsequent pages to be generated and I can't see from this side what is triggering this behaviour. Taking the front page as an example, if deleted, if it always generated ? I've just generated it myself, then after it is presented, then does going to /personal also generate the page ? (you'll have to remove the pages from the cache) or does the existence of the session cookie stop pages being written out, so one would
delete cached pages
go to index/ home
check if cache has been written out,
confirm that a session cookie has been set
visit /personal to see if a cached page gets written or whether it requires the deletion of the session cookie to be written.
something that might be worth trying it
setting session.auto_start=0
or
php_value session.auto_start 0in the top of .htaccess (it might bephp_flag session.auto_start 0) it may solve the immediate problem but not the long term one. I'm pretty sure it's one of the page generation functions, so I'd be now looking to put that code above into the function boost_exit and then working backwards to see what triggers the flags to be set to false.Comment #30
TDBA commentedSooo to sum up the tests I did this morning:
As I said before the .htaccess file is a Drupal default file so there is an entry "php_flag session.auto_start off". Changing off to =0 does nothing.
The test process with the pages is exactly as you described. Loading the front page as anonymous with an empty cache and without cookies generates the _.html and sets the cookie. Going to another page does not generate subsequent cache pages. Deleting the cookie and then going to another page generates a cached copy.
Testing within the "function boost_exit($destination = NULL)" using " echo ("Here!");":
It seems that the function goes into the first
if (!isset($_boost['cache_this'])) {but after that it does not go into the next if and not into the next elseif but it arrives at the closing } of the outer if statement.
It does that every time with and without the cookie.
After that, looking at the next four options if elseif block: Without the cookie it ignores all four but with the cookie it goes into the last elseif
elseif (!drupal_page_is_cacheable()) {So in conclusion I am assuming the Drupal API sais drupal_page_is_cacheable()=FALSE and boost stops when the cookie is set right?
--------
Update:
I just found this nice page: http://facingworlds.com/drupal-7-bootstrap-explained-drupalbootstrapsession-and-drupals-session-handling
Manipulating the Drupal file "includes/session.inc" in line 252 and commenting out lines 252-254 boost works!
So what is it?
That seems kind of off to me. Why does Drupal say that pages are not cachable just when a session is open?
I can imagine that many modules (mis-)use sessions to store all kind of things even for anonymous users!
How to proceed from here? Two options for me: Manipulate a Drupal core file or manipulate the boost.module.
You can't answer me why this check is in the Drupal file and what for exactly but I hope you can tell me why that check that checks the Drupal API value is in boost.
If I would simply delete the last elseif in the boost.module could that have other unforeseeable consequences?
After finding this five year old article I kind of ask myself just why: https://www.drupal.org/node/590614
Comment #31
Anonymous (not verified) commentedWell the reason that boost uses the drupal_page_is_cacheable function is that if a DRUPAL_UID is set e.g. a non anonymous user is present then boost disables, also if something were to go wrong even on the anonymous side and a message sent by another module, then that page should be flagged a not cacheable so that it didn't hang around and present potentially compromising information to non-anonymous people. I agree something has not been very well though out, since having seen the if clause where $_SESSION['messages'] was set, I did think that it was a little off when really there should be a drupal core mechanism for $_COOKIE['DRUPAL_UID']['messages'] which would then also be linked in to the roles side of thing so that the correct people got the message too.
This theme you have, I would suggest having a look through and seeing if there are any session functions in it before disabling boost or a core function. Also a small concern has popped up, I've looked at your site for a few days now with firebug on and I cannot recall having ever seen a http 401 header which suggest a flaw in firebug because authentication is certainly requested and I was wondering if that triggered the session cookie so it might the worth temporarily turning that off just to check.
I agree with you about that five year old article and of ask myself why it will only be fixed in drupal 8, when in all likelihood boost will not exist in drupal 8 with the change over to the symfony framework and it's inbuilt file based caching, I've yet to see any concrete documentation but my feeling is very much that boost will become obsolete.
Comment #32
Anonymous (not verified) commentedprint_r($SESSION) would probably help to find out what it's got inside, or with shell access then
if the themes is setting the cookie, that should pull any PHP functions related to session handling
Comment #33
TDBA commentedThat's what you get for using a pre-made bought "premium" theme... my company decided on that to "save time" and now I am stuck with that -_-
Regarding your firebug and 401 header comment: I can't quite follow you what you mean by "temporarily turnign that off".
Regarding the sessions I inserted a check into the session.inc within Drupals function drupal_session_commit()
And yes the theme starts three sessions:
"stime", "default_preset" and "default_direction"
stime seems to check a timestamp of last changes for settings, the preset seems to relate to a custom css generation internal function and the direction is ltr.
In the end whatever! I guess these are essential for the theme to run properly so now I am stuck with the two options above:
1. I can delete from boost
or 2. I can remove the OR part from
out of the session.inc
I don't want to pass on boost for the site because anonymous traffic will be all the traffic (no login planned).
Should I roll a die or do you want any pros or cons for any of the two "quick fixes"?
I guess I will go with the "five year old patch" https://www.drupal.org/node/590614#comment-2324014 that seems to be the right way.
Comment #34
Anonymous (not verified) commentedI feel it would be safer to add an extra statement to the core code below
like
if (!empty($user->uid) || (!empty($_SESSION && !empty($_SESSION['time'] && ...)and hope that it has no negative impact on the theme itself. What concerns me is that boost is specifically designed not cache those private pages where information could be revealed like login.php and I would prefer to rely on the core mechanisms.
Regarding the 401 section, I just wondered what happened if you briefly turned off the Basic Authentication in the .htaccess file, I think this is a last chance hope, but some versions of apache have been known to do odd things with rewrite rules due to a bug that was later fixed but the original bug is still floating around in some distributions even with updates and the boost rules state that the response should be HTTP 200 so I was wondering if the initial HTTP 401 when one enters the password could in theory still be passed to the .htaccess file a second time and therefore skip the rules (I have no evidence of this but find it odd that I have seen no 401 headers when authenticating in firebug).
Comment #35
TDBA commentedNow I get what you meant. Made a quick test without the password authentication but no change so I will manipulate the session file.
I will also try talking to a system administrator next week. Maybe there are problems with the server instance too.
For now we can make a break here, put the lid back on and hope it stays there.
Thanks again for your co-operation.
Comment #36
Anonymous (not verified) commentedI've thought very hard about this and my advice is strongly "use another caching system with that template" do not alter any code. I believe that the underlying reason for the session is to make the website appear differently to tablet/ mobile users instead of having a responsive template that adjusts the css automatically. What concerns me is that user A visits the site using a mobile, user B visits the website using a computer, user B gets to see the version of the site that is mobile and requires touch screen navigation because boost has cached it.
I believe that the purchase of the template was not thought through by someone conversant with drupal and boost. The only thing that may be an alternative avenue is to rewrite a large section of the htaccess code to store different caches based on the values stored in the session which would have to be pulled out in PHP and set as a cookie, then boost would need major modification to remove stale cached files in the different cache locations. It is not an easy answer, and I'm sorry.
Comment #37
swim commentedThis issue & this article should help. They cover where (some) conditional functionality should live when using a caching mechanism such as Boost.
Comment #38
TDBA commentedMany/Some parts of that template are written with CSS3 media queries but who knows if there isn't some cheap shortcut via other means. I found many questionable design and coding decisions in PHP/CSS/JS code already so yeah maybe.
For the time being the "decision maker" want to prioritize something else but I will get back to that shortly.
Thanks for the additional considerations and tips.
P.S.: Still no answer from the creators of that theme.
Comment #39
tim520 commentedHi TDBA,
How did you solve this problem finally ? I met the same problem with yours.
Thanks
Comment #40
Prancz_Adam commentedHi,
Same issue here. But I can not find any session cookie.
Any update or solution? Delete this from boost solve the problem:
I'm using the latest dev version.
Can has_js cookie couse this issue?
Comment #41
hassebasse commentedThank you Prancz_Adam, you made my day !!!