I have posted here http://drupal.org/node/202845 a temporary patch for Secure Site to solve a conflict with php module. May be the problem will be solved modifying phpbb module that is still under development.

CommentFileSizeAuthor
securesite.module.patch497 bytesDevis

Comments

junyor’s picture

Status: Needs review » Postponed (maintainer needs more info)

Would you please provide more information about the conflict and how it can be reproduced? Thank you.

Devis’s picture

First install "phpBB" and "SecureSite" modules. PhpBB module require phpBB .htaccess editing to handle login and logout.

RewriteCond %{QUERY_STRING} ^mode=logout(.*)$
RewriteRule ^ucp.php(.*)$ ../phpbb/logout [L]

When the user is in the forum and click "Logout" he is redirected to http://www.site.com/phpbb/logout a menu call for the function "_phpbb_logout()":

function _phpbb_logout() {
  session_destroy();
  module_invoke_all('user', 'logout', NULL, $user);

  // Load the anonymous user
  $user = drupal_anonymous_user(); 
  drupal_goto($phpbbcfg['path_rel']);
}

This invokes "user logout" so the execution is passed to all implementations of hook_user and particularly to SecureSite one:

function securesite_user($op, &$edit, &$user) {
  if ($op == 'logout') {
    module_invoke_all('exit', request_uri());
    unset($GLOBALS['user']);

    $securesite_enabled = variable_get('securesite_enabled', 0);
    if ($securesite_enabled == 1 || $securesite_enabled == 2) {
      securesite_user_auth();
    }
    else {
      // redirect first to browser prevent caching problems
      securesite_goto();
    }
  }
}

where there is a call to securesite_goto()

function securesite_goto() {
  global $base_url;

  $url = (arg(0) == 'logout' ? $base_url :  request_uri());
  if (ini_get('session.use_trans_sid') && session_id() && !strstr($url, session_id())) {
    $url .= (strstr($url, '?') && !strstr($url, $sid) ? '&' : '?') . session_name() . '=' . session_id();
  }

  header('Location: ' . $url);
  exit;
}

that finally calls

header('Location: ' . $url);

At this point $url equals to http://www.site.com/phpbb/logout so the browser is redirected to the initial url causing a redirection loop.

Also note that the securesite_goto() exit conflicts with _phpbb_logout() because the execution never returns there to execute the last rows:

  // Load the anonymous user
  $user = drupal_anonymous_user();
  drupal_goto($phpbbcfg['path_rel']);
junyor’s picture

Status: Postponed (maintainer needs more info) » Closed (won't fix)

I'd really rather not have module-specific changes hacks in Secure Site. There is one for LDAP Integration because Secure Site and LDAP are a natural fit together. Maybe if there is more demand for this, we'll look at it again. Until then: won't fix.