Feeds in NNW behind HTTP auth refresh without downloading any items. NNW ignores cookies when reading feeds, and because securesite tries to set a cookie with a 302 redirect response, which goes back to node/feed, causing an endless loop.
Some relevant HTTP headers:
192.168.000.003.57704-069.044.153.099.00080: GET /node/feed HTTP/1.1
Host: [test site domain removed]
Accept-Encoding: gzip
User-Agent: NetNewsWire/2.0.1d1 (Mac OS X; http://ranchero.com/netnewswire/)
Authorization: Basic VGVzdCBVc2VyOnQzc3R1czNy
Connection: close069.044.153.099.00080-192.168.000.003.57704: HTTP/1.1 302 Found
Date: Mon, 16 May 2005 23:09:07 GMT
Server: Apache/2.0.52 (Debian GNU/Linux) DAV/2 SVN/1.1.3 mod_ssl/2.0.52 OpenSSL/0.9.6c PHP/4.3.10 X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=eb664e71dbc484c97b18d36bd48824db; expires=Thu, 09-Jun-2005 02:42:27 GMT; path=/
Location: /node/feed
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
In short, the module needs to be able to send data to user agents that don't accept cookies, since in this cause with HTTP auth working fine, they are redundant.
Comments
Comment #1
chx commentedI do not think it is possible to avoid page reload. Let's take a look at the following snippet from bootstrap.inc:
by the time securesite is called through hook_init, the page is loaded from cache. If you change the user during init and the now logged in user can access a node which is not accessible for the anonymous user (and you surely have otherwise you'd not use securesite) then we are hosed.
We need to reload the page somehow. I am open to suggestions, but drupal_goto seems to be the cleanest solution. JavaScript maybe??
I'd say, use trans_sid with NNW . I'd be surprised if it'd not be possible with Apache to set php values based on User Agents.
Comment #2
luomat commentedI believe this also causes problems with 'wget' which has authentication abilities:
Here is an example of what happens when I try to download a file from a Drupal site with wget using auth
Comment #3
junyor commentedApparently fixed: http://cvs.drupal.org/viewcvs/drupal/contributions/modules/securesite/se....
Comment #4
(not verified) commented