I previously posted this issue earlier today as a Forum topic but thought I should try here. The original post is at http://drupal.org/node/242356

The problem:

1. User comes to site and sees default page for anonymous users with no links to content such as blogs and forums, etc.
2. User logs in and views several pages as an authenticated user.
3. User logs out. They return to the default front page but they do not see a message saying they are now logged out.
4. User then clicks browser back button and sees previous pages viewed while logged in.
5. User can click on menu items such as blogs and forums and view content available to authenticated users but that they had not navigated to in the session before logging out.
6. If user clicks on "My account" or "Log out" they get an Access denied error.

Expected behaviour is that once a user logs out they cannot view logged in pages by clicking the browser back button and should not be able to then go on and access more content meant for authenticated users.

Clearing the browser cookies does not solve the problem. Clearing the browser private data does solve the problem, but this should not be left up to the end user.

The same problem can be reproduced on the development system that was installed on a Windows desktop.

I am not sure if the migration path we used is a factor.

On the Linux server we created a new mySQL database.
The Windows desktop Drupal installation files were copied by ftp to the server.
The Windows desktop Drupal mySQL database was exported and then imported to the new mySQL database on the Linux server.

Should we have created a new Drupal installation on the Linux server first and then imported the mySQL database with some over write settings enabled?

Any help would be appreciated. We are under significant time pressures as the community web site needs to go live asap and is now on a server for alpha/beta testing.

Thanks very much,

Izzy

Comments

gpk’s picture

gpk commented
Status: Active » Postponed (maintainer needs more info)

Can you pls confirm 5. above. If I log out and navigate to URLs that I have not previously visited but which are not available to anon then I get Access Denied. Same if navigate to URLs I *have* visited before, if they are not available to anon. However I can confirm 4. (viewing pages previously visited by pressing back button), but I think that this is the expected behaviour.

As far as I can see, when you log out you keep the same session ID in the session cookie, but the uid recorded against the session in the {sessions} table in the database is set to 0, i.e. you become anon user.

izmeez’s picture

izmeez commented

Thank you for taking the time to try to help.

Yes, I can confirm Step 5 from the original description.

I have just checked again.

User permissions are set such that anonymous user cannot access any blog or forum functions while authenticated users and other roles can. However, under node access anonymous users are checked to have access otherwise they cannot see the default front page when first coming to the site.

The Navigation block permissions exclude anonymous users but when step 5 is executed the logged out user cannot get into "My account" or "Create content" but can get into "My blog", "Recent Posts", "Feed aggregator", and "Category browser".

I have also created a block called Features Menu that includes two items, one for blogs where "?q=blog" and the other for forums where "?q=forum". Again, I have checked the block permissions and anonymous users are excluded yet these functions are still active for the logged out user.

If the logged out user truly became an anonymous user with the correct permissions that might be fine but that is not what I am finding.

I hope the additional clarification is helpful. Any suggestions are welcome. Thanks,

Izzy

gpk’s picture

gpk commented

OK the block permissions only control visibility of the block (i.e. Navigation or Features menus in your case). Access to pages is (usually) worked out on the basis of the URL requested.

URLs ?q=blog/x (my blog), ?q=tracker (Recent posts) and the others are available to all users, logged in or not. Similarly ?q=blog and ?q=forum.

So all that I think is happening is that you are using the links on a stale page to see content you have access to in any case when not logged in. If you want to restrict permissions to "view" content (other than by using the global "access content" permission) then you need to use a node access control module, e.g. http://drupal.org/project/tac_lite.

izmeez’s picture

izmeez commented

Thanks for this. I will try it out and report back.

Izzy

izmeez’s picture

izmeez commented
Priority: Critical » Normal
Status: Postponed (maintainer needs more info) » Fixed

gpk Thanks very much for your help I believe the problem is solved.

I don't know if this is right, but I have changed the topic Priority to normal and the Status to fixed.

I discovered that:

1. There was a conflict with the beta version of Site doumentation module (v 1.5.2.1) and the logout; sometimes causing the logout not to reset the left bar where we have the user navigation menu to the default. Not a criticism, something to be expected at this stage of development.

2. I have not had time to try the tac_lite module and look forward to adding that as it seems the behaviour we are now experiencing is exactly as you describe. To make some content visible to an anonymous user we had to give user permission to content access. This has made other Page views visible, but not any custom views created with the Views module.

Thanks very much,

Izzy

gpk’s picture

gpk commented

OK great :-)

If the maintainer of Site doc is not aware of this problem in the beta version then I suggest you change the Project accordingly and set status back to active.

izmeez’s picture

izmeez commented

On further testing I have found that Site doc is not the problem.

The problem is in setting the Drupal Performance page cache to "normal" as recommended for production sites. Site doc just alerted me to the fact that it was originally disabled. I have since disabled it and the main problem of the left bar continuing to show the navigation menu even after logout has been resolved. I left Block cache enabled.

Sorry, for an confusion with my earlier false alert to the Site doc module. Just as well I didn't rush to send such a notice to those developers.

I still need to get to the Tac-Lite module up to deal with content.

Thanks for all your help

Izzy

gpk’s picture

gpk commented

Hmm the behaviour your are experiencing still sounds a bit odd. With page cache enabled (normal) and block cache enabled, when I log out the Navigation block is immediately replaced by the login block. If I hit the browser back button to a page I've not visited since I logged out then the Nav block *is* still shown, but this is normal browser behaviour. But if I revisit such a page by clicking a link, typing a URL or hitting the browser Refresh button then the blocks are correctly reloaded. This is I think what you should be seeing, even with page cache enabled. (The page cache is only used for anonymous users ... maybe try hitting the Clear cached data button and see if that helps.)

izmeez’s picture

izmeez commented
Status: Fixed » Postponed (maintainer needs more info)

Thanks for hanging in there with me on this one, gpk.

I haven't had time to take that any further right now as the object is to have the site up and running yesterday. So, as you can appreciate, now that this one is sufficiently advanced there are other priorities.

I changed the status of the message back to active (needs more info), hope that's the right thing to do.

There are a couple of other items that I should maybe post under a separate title. Although, they are closely related and have to do with the Login and registration sequence.

I am trying to integrate the Drupal Login with LoginToboggan, the Front page module and Autologout which I understand are early adaptations.

1. I seem to be having trouble locating the message displayed to users when they have registered. I need to change that because on this site users must be authenticated first. It works fine but I need to change that message.

2. The web links that are sent to users when they have been authenticated and whenever they request a password default to one day. I need to change these. One value would be fine but each separately would be better, I think.

3. Also is there a default logout message that is displayed or is it just the return to the beginning default page? This is a lower priority to me but it would be nice to have the choice.

Again, thanks for the help.

Izzy

izmeez’s picture

izmeez commented

I have installed Drupal 6.2 and the behaviour seems to be fixed to what I was expecting. I haven't had time to fully test this but noticed two items in the Drupal bulletin http://drupal.org/node/244667 that may have resolved this:

http://drupal.org/node/232037 by pwolanin: (performance) block regions should only be populated when called for, not in all cases (fixes performance expectation on 403/404 pages)

http://drupal.org/node/226728 by chx: (performance) temporary cache table entries were not flushed, causing cache_menu and cache_form to grow big

Izzy

szy’s picture

szy commented
Version: 6.1 » 6.8
Priority: Normal » Critical

It seems it still happens in exact way as written in issue:

Drupal 6.8
Domain Access 6.x-2.0-rc5
LoginToboggan 6.x-2.x-dev (2008-dec.-10)
Masquerade 6.x-1.0
@Chrome, IE6, FF3.

Right after logged out, it's enough to hit Ctrl+F5 to see user logged in again.

Szy.

szy’s picture

szy commented
Title: Log out problem with Drupa1 6.1 » Log out problem with Drupal
szy’s picture

szy commented

... solved by turning off of standard Drupal login block. Strange, or not?

Szy.

timmeh’s picture

timmeh commented
Version: 6.8 » 6.12

i am still having this exact same problem. when i log in, it shows that i am logged in for a bit, then when i hit my "home" link or the banner which links home, it shows the log in box even though i'm logged in. and i know im logged in because i can make new posts as a member, which only logged in members can do. same with logging out sometimes. i'm actually logged out but it shows that i'm logged in.

i've disabled the starndard drupal login and enabled logintobaggan, and vice versa. nothing seems to help. please help.

gpk’s picture

gpk commented

>then when i hit my "home" link or the banner which links home, it shows the log in box even though i'm logged in
Sounds like you are seeing a cached version of the page from before you logged in. What happens if you press CTRL-R or F5 to force a refresh? What browser are you using? Does this happen when accessing the site from different computers on different internet connections?

izmeez’s picture

izmeez commented

This issue is discussed further at

http://drupal.org/node/197786

Unfortunately someone recently changed the title of the post. It used to be something like "authenticated content still visible after logout" which I thought was a more appropriate title.

Fortunately, there is a solution in comment #61 http://drupal.org/node/197786#comment-1055633 of that thread that is worth trying. I have been very happy with it. http://drupal.org/node/197786#comment-1649624

My previous comments in this thread were from last year when I was more of a neophyte. I now realize that my solution was not a true solution but simply the result of using the Advanced front page module and not allowing anonymous users access to content and setting permissions to allowing anonymous users to access Advanced front page.

But, check out the other thread. The solution is a hack to core, but hopefully sometime soon the experts will find a solution to commit. Meanwhile, I am using the solution offered there.

Hope this helps,

Izzy

dpearcefl’s picture

dpearcefl commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Closing due to lack of response.

sowmya2205’s picture

sowmya2205 commented
Version: 6.12 » 6.22
Assigned: Unassigned » sowmya2205
Category: bug » support
Status: Closed (cannot reproduce) » Active

In my drupal website , i m using drupal 6.For the pages with different design i m using different page-x.tpl.php.this is working fine.But For some pages user session gets cleared .Logged in user gets logout.can any one help on this issue.If there is any problem in using multiple tpl pages.

thanks

dpearcefl’s picture

dpearcefl commented
Assigned: sowmya2205 » Unassigned
Priority: Critical » Normal

Do you have the exact same problem as originally reported? if not, please open your own issue with your own description of the problem.

Have you tried all of the suggestions listed above?

BTW: I have changed the "Assigned" field because that is for the person who is working to resolve the problem (coding, changing documentation, etc.). This does not describe you as the person reporting the problem.

kars-t’s picture

kars-t commented
Status: Active » Fixed

Hi

I am closing this issue to clean up the issue queue. Feel free to reopen the issue if there is new information and the problem still resides. If not please make sure you close your issues that you don't need any more.

Maybe you can get support from the local user group. Please take a look at this list at groups.drupal.org.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.