Feeds in NNW behind HTTP auth refresh without downloading any items. NNW ignores cookies when reading feeds, and because securesite tries to set a cookie with a 302 redirect response, which goes back to node/feed, causing an endless loop.

Some relevant HTTP headers:

192.168.000.003.57704-069.044.153.099.00080: GET /node/feed HTTP/1.1
Host: [test site domain removed]
Accept-Encoding: gzip
User-Agent: NetNewsWire/2.0.1d1 (Mac OS X; http://ranchero.com/netnewswire/)
Authorization: Basic VGVzdCBVc2VyOnQzc3R1czNy
Connection: close

069.044.153.099.00080-192.168.000.003.57704: HTTP/1.1 302 Found
Date: Mon, 16 May 2005 23:09:07 GMT
Server: Apache/2.0.52 (Debian GNU/Linux) DAV/2 SVN/1.1.3 mod_ssl/2.0.52 OpenSSL/0.9.6c PHP/4.3.10 X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=eb664e71dbc484c97b18d36bd48824db; expires=Thu, 09-Jun-2005 02:42:27 GMT; path=/
Location: /node/feed
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

In short, the module needs to be able to send data to user agents that don't accept cookies, since in this cause with HTTP auth working fine, they are redundant.

Comments

chx’s picture

I do not think it is possible to avoid page reload. Let's take a look at the following snippet from bootstrap.inc:

function drupal_page_header() {
  if (variable_get('cache', 0)) {
    if ($cache = page_get_cache()) {
      bootstrap_invoke_all('init');

by the time securesite is called through hook_init, the page is loaded from cache. If you change the user during init and the now logged in user can access a node which is not accessible for the anonymous user (and you surely have otherwise you'd not use securesite) then we are hosed.

We need to reload the page somehow. I am open to suggestions, but drupal_goto seems to be the cleanest solution. JavaScript maybe??

I'd say, use trans_sid with NNW . I'd be surprised if it'd not be possible with Apache to set php values based on User Agents.

luomat’s picture

I believe this also causes problems with 'wget' which has authentication abilities:

Here is an example of what happens when I try to download a file from a Drupal site with wget using auth

wget --http-user="My Username" --http-passwd="mypass" 'http://example.com/system/files?file=foobar.93047.en.tgz'
--11:40:14--  http://example.com/system/files?file=foobar.93047.en.tgz
           => `files?file=foobar.93047.en.tgz'
Resolving example.com... done.
Connecting to example.com[127.0.0.1]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /system/files?file=foobar.93047.en.tgz [following]
http://example.com/system/files?file=foobar.93047.en.tgz: Redirection cycle detected.
junyor’s picture

Anonymous’s picture

Status: Fixed » Closed (fixed)