no warning is issued if cookies are not enabled

Making this a feature request instead of critical bug report. Tss.

There's some useful discussion over at http://drupal.org/node/137678 but we should continue with this, the oldest issue, as the active one that needs to be resolved.

This is a bit tricky but I figured it out. Messages do not work here too well because you get a new session on every single page. So we redirect you to a help page if there are no cookies, but not everytime.

trying to log in now brings to a page with a brief description about the missing cookie support. It could be enhanced later, but with this the bug is solved for now.

Errr... can you explain patch #10. Is it the right issue?

As to patch #7, this is a patch my poor brain can understand. I am satisfied that it is a good approach.
But we are only at the stage of reviewing the concept. #10 has not been reviewed, and #7 is not RTBC in any case: if the patch works and is accepted, at the very least the message on the no_cookie page should be improved (poor grammar, not enough information). It's good enough for testing, so it's good enough for now, but it will have to be improved before we can set it RTBC.

yeah #10 looks like the wrong patch.

I think we know that, by now.

What I would like to know, is the answer to #12, so that we can move ahead...

Well, #10 and #7 wanted to differ only in the path component and I indeed upped the wrong version. About the text, it's a placeholder, someone else will write the text, it's not my cup of tea.

Let's have this committed, and I will open a new issue about the text. This way we keep this thread to the technological issue, and that to discuss the helptext. How about it?

Applied nedjo's text and rerolled for HEAD.

Unfortunately, user/no_cookie gives me "Page not found."

Ah, yes, clearing the cache has made it work. Thanks!

Actually no, "Cookie problems" isn't a great title - implies that Drupal's having problems rather than the user's browser.

Would suggest "Please Enable Cookies" or something like that.

Slightly changed wording.

- Drupal core paths use dashes instead of underscores...should be user/no-cookie.
- Might as well just return t(...) instead of setting an unneeded $text variable.

subscribe

I suggest that user_no_cookie() should return theme('user_no_cookie') so sites can override this hard-coded text.

New patch. The only change here relative to #30 is the theme_user_no_cookie() instead of hard-coding the text.

This bug has always annoyed me but perhaps it is too late for D6. I think there are valid outstanding questions:

1. The default text (http://drupal.org/node/137678 has something but it isn't done).
2. Should the cookie path really be "/" and not session.cookie_path?
3. Probably others.

The cookie should be deleted after logging in.

Gábor, please don't try to save the world with this patch! There are countless reasons why cookies might not go through, beyond what the browser does, and every browser uses its own terminology anyway. I've never heard of "private browsing" -- would you really want to take responsibility for whatever could happen if a user "turns off private browsing" on some unknown system? Helping the user to solve the problem is way beyond what Drupal can do.

The intent of this humble patch is to diagnose the problem, and this alone will put us miles ahead of where we are now, where the user has absolutely no clue about why his password is accepted, but he still doesn't get access.

Users who have cookies turned off, will usually know how to turn them on, because the situation comes up regularly on all sorts of sites -- but they need to know what the problem is!!!

Please excuse me if this comes accross a bit too strong, but I'm desperate about this...

A lot better patch. Instead of session.inc , I patched drupal_anonymous_user. Same: if your system can't hold cookies then on the page load your cookie will be set but it's only available on the next page load. I have adjusted the cookie domain to the session cookie domain, too. And now I delete it in user_login_submit.

OK then. it's still better than the older ones because we now patch both places where anonymous user can happen.

Adjusted user_no_cookie function to use the relevant domain.

Yes, now it works perfectly, including deleting the cookie upon log-in. Thanks!

This is a huge useability improvement, and makes Help Desk workers happier :)

++ 1 for the patch.

I run with paranoid firewall and browser settings, and I can't remember encountering a site that didn't tell me I needed to enable cookies when it requires them, except for Drupal sites, that is.

Drupal really, really stands out (negatively!) in that respect...

Maybe I am missing something, but why is it needed to do a "setcookie('drupal_login_check', ..."?
If cookies are disabled, $_COOKIE will always be empty and if cookies are enabled, $_COOKIE will have at least one entry with the session name (except for first visit).
So in user_login_submit()

See attached patch. I tested it and it behaves the same as the patch from #48.
(But I could be wrong about the assumption that $_COOKIE will always be non-empty after first visit when cookies are enabled.)

I re-RTBC #48 -- I would never rely on an empty cookies array. In theory it's not even impossible that this check fails, ie. the browser holds the login checker cookie and not the session one... but it's imo much better than relying on an empty cookie array.

I would never rely on an empty cookies array. In theory it's not even impossible that this check fails, ie. the browser holds the login checker cookie and not the session one... but it's imo much better than relying on an empty cookie array.

Fair enough. But you can never trust a/every browser. You could even create a browser so that #48 would fail.
This issue is a usability issue, so we should solve it for most use cases/standard browsers, not all imaginable exotic corner cases. The point is to find the right balance between adding cruft and solving the issue for enough people/cases.
It would be nice to have some real life examples that would show that #55 is significantly inferior.
I just wanted to address the cruftiness concern of Dries.

@soxofaan: see #36...

(this problem may apply to the has_js cookie, too!)

+1 to make something like this a core feature.

Another way to look at this might be to stop the user from logging in if the person doesn't have cookies enabled before they actually login. Or just a standard text message on the login page stating that cookies must be enabled to login.

Edit: rewrote this post a bit.

* The patch does no longer apply.

* Is this something we can write a test for?

I made a D5 module based on this patch, http://drupal.org/project/cookie_check

Users reported a bug, possibly limited to IE7:

drupal.org/node/242060

The bug may be due to some change I made in adapting the patch but we shd try to reproduce before applying this.

I shouldn't complain as I didn't do any work to solve this issue, but it's hard to understand why there has been a patch that solves this problem for almost a year and it still hasn't been added. I often have user coming to me and complaining that login doesn't work and it's always because they haven't enabled cookies for this site.

Sometimes it seems a bit strange how difficult it is and how long it takes to get such basic things to be added to drupal. Every other CMS we use at the university does have this cookie warning feature...

I can only apply it to 6.x and I learned that almost no one cares about this because everything is patched in HEAD and maybe backported afterwards, maybe not.

It works fine in 6.x for my site, but I don't see how this helps :-(

> the patch was posted in May

That's not really true. The patch is from January, but it has been ignored until it didn't apply anymore, see #66. Then chx made the new version which just differs in the context lines, not in the patch code itself. And then this has again been ignored until it didn't apply anymore. And now it looks like chx is not interested in making another version of the patch (which might again be ignored for months?).

According to http://testing.drupal.org/pifr/file/1/user-no-cookies-2946-67.patch it was received for testing on November 8th. So I wonder what happened between May and November. It seems likely that a patch written in May for HEAD doesn't apply in November anymore.
Same for 6.x, but it was again just adjusting the context lines. If I had 7.x I would try to correct the patch, but I've no idea (yet?) how this testing stuff works and what must be done to make a patch get into this testing.

So, I don't know what I can do more to say "Works great in 6.x". But you're right, I could have said that earlier!

chx noted in #7 that messaging is potentially problematic in that, without cookies, data don't persist in the session.

In this case we remain on the same page and so messages set in the $_SESSION variable remain available for rendering; the form_set_error() call works.

This would break if e.g. a contrib module set a validation handler that called drupal_goto(). I think we can live with that though. Handling this as validation feels the cleanest.

The last submitted patch failed testing.

Patch applies and generally looks good. A couple of notes:

We may want to consider the help text "It seems your browser does not accept cookies." seems like slightly odd phrasing perhaps. Also, I wonder if it would be good to link to some generic "what the heck are cookies" page (e.g. on wikipedia?).

This looks a little nonstandard also - the function below it (which is equivalent) starts as "A validate handler on the login form....".

I think it's more important to have any hint on what's going wrong than just beeing unable to login. There are pages explaining how to activate cookies, but they usually miss my browser anyway or are for Netscape 6.x or sth.

This affects the installer as well. Some people have cookies turned off by default, but have a whitelist of web sites where it's accepted.
When installing a new site, the new domain may not yet be in the whitelist.
In such conditions, it is impossible to install Drupal at all, but the the warning given make it sounds like it's a sql issue, which is very confusing and does not help finding the solution.

The following critical installation issues are caused by the absence of cookie:
#234539: Critical SQL error in installer with {menu_router}
#261148: Menu first rebuild does not happen
#280015: cannot install drupal - menu_router error

As an example of how absence of cookies are handled elsewhere, turn off cookies and visit this web site:
http://www.expedia.com/
Can't miss the (scary) warning!

I think it's time to get the fix for this 2003 request rolling.

I've block cookies, log out of the fresh Drupal 7 head install and applied the patch. As soon as I try to log in, I get the proper warning "It seems your browser does not accept cookies. To log into this site, you need to accept cookies from the domain example.com".

Are there some issues which would prevent this patch from being committed?

Batman is not holy. :-)

I guess we should grab webchick today for the code sprint. I've have not seen her yet this morning.

I think it would be best for you to create two new issues for:

1. We need to issue a warning at install time what cookies are required. (User does not log in using the login form.)
2. There are other cases where cookies may be required although users are not logging in. E.g., functionality that uses cookies to track anonymous users.

:-)

We need tests for this. I check with cwgordon7 and he said it should be possible to override curlConnect() in your test case.

I relayed what I was told. There's a testing sprint going on this weekend, so plenty of people to ask in #drupal. :)

++ 1 Bug Report
++ 1 Usability Issue
++ 1 Expand this issue to cover other forms in addition to user_login

Any functionality that requires the presence of a cookie should alert the user if the cookie is absent.

Many thanks to chx and nedjo for addressing this issue and contributing to a solution.

As nedjo correctly pointed out in #92

2. There are other cases where cookies may be required although users are not logging in. E.g., functionality that uses cookies to track anonymous users.

The issue #502816: Anonymous users do not see status messages is one of those examples.

I was very surprised reading Dries comments on this issue.

robeano patch in #86 still applies. I'm requesting a re-test of his patch.

As per other comments I'm putting this back to RTBC. :-)

The patch fails. Needs a reroll.

Shouldn't the cookie validator run first, so the potential error message appears first?

"Form validation handler to ..."

These two lines need an inline code comment (each), explaining what is being done here.

Trailing white-space.

Lastly, we need a test for this functionality.

This review is powered by Dreditor.

Sub.

The last submitted patch, cookie_validate_2946_reroll.patch, failed testing.

Does anyone have any examples of Simpletests that check/manipulate the HTTP headers? I'm not really sure where to start with coding this without an example test to base it off of.

Basically we need to test two "browser"s:
- one that ignores any Set-Cookie response header (ignoring Set-Cookie means that a Cookie header is not added to subsequent requests), and
- one that handles Set-Cookie headers normally (Cookie header is added to requests)

You cannot assume that just because $_COOKIE is empty, the browser does not accept cookies. Since #201122: Drupal should support disabling anonymous sessions was fixed in January 2009, we no longer create sessions for anonymous users. If JavaScript is not enabled, the has_js cookie is not set. If JavaScript is disabled in your browser, you cannot log in with this patch.

If $_COOKIE is non-empty, then the browser supports cookies, at least partially. I don't know whether any browser has "partial" support for cookies. I would think (but it's just a guess) that if $_COOKIE is non-empty, we can assume that it will accept our cookie. Comments #57-59 discuss this, but without any clear conclusion AFAICT.

In any case, we need to set a cookie in one request a verify its existance in the next request. Setting a cookie from PHP to all anonymous visitors seems like a bad idea, because a Set-Cookie header is usually a sign that the page should not be cached (e.g. by default (and design) Varnish does not cache pages with a Set-Cookie header).

One possibility is to make the login form return to an interim page that just checks for the existance of the session cookie and then redirects to the final destination. This will add an extra request to all logins. The redirect happens automatically, so the additional request will be invisible to the user (except for a small delay).

If we conclude that a non-empty $_COOKIE is a safe sign that the session cookie will be accepted and the form submission contains a non-empty $_COOKIE (usually containing just the has_js cookie), we can skip the extra round-trip and just redirect to the final destination immediately. This would make the login as fast as today for users with JavaScript enabled, while other with JavaScript disabled would need the extra round-trip.

For inspiration on how to write tests for this, you may want to take a look at modules/simpletest/tests/session.test. To emulate a browser without cookie support you should probably tell cURL to not follow redirects using CURLOPT_FOLLOWLOCATION and then instead follow the redirects “manually” and reset the session cookie between each request.

Still looking for review on the general approach

subscribing

Even though the user_init() is just an isset(), I'd be happier with a check just during the process of logging in rather than having that code in the critical path.

Also if we're going to do a redirect from the login block anyway, and have a nice handy callback which controls that, then putting the cookie checking code in there is fairly tidy. The question then is whether the isset() in user_init() and very small bit of code weight there is better or worse than an extra bootstrap (but no page render) on logging in via the form. I'm not sure either way on that but lean slightly towards the log in form.

I don't like either the double redirect option, or the runtime check on every page here, but neither do I have any better ideas - would be good to get some feedback from others. However some of the information in this issue needs to be added to user_init() in a comment if we go for this option.

The tests are failing, so the patch still needs some work...

Sorry. Issues that have been in Drupal since 2003 don't get to hold "critical" status.

Ignoring the problem for 7 years doesn't make it less critical. Getting rejected to login without any notice why it happens is a critical usability issue.

Subscribe.

#114: cookie_validate_2946_114.patch queued for re-testing.

re: cookies and usability
The most recent 6.17 patch update rendered existing Firefox cookies useless. The result is that no recent visitor to my site can log in without first clearing cookies. Unfortunately, they have no way of knowing that. Truthfully, how many would think to do it given no prompt or message to that effect? Attempts to change password fail when following the emailed link. And what is the pain-in-the-a$$ cost for clearing all one's other, perfectly good cookies?

Nice software, generally, though!! Thanks to its authors :^)

subscribing...

subscribe