By Arkar on

When updating from 4.6.5 to 4.6.6 my users can't login. When i revert user.module file to 4.6.5 it works again. What is the problem ? Am I the only one experiencing this problem. Please help. My website is ageeclg.org .

Comments

Steven’s picture

Steven commented

What version of PHP are you using? The security fix for Drupal 4.6.6 requires PHP version 4.3.2 (which is below the minimum of 4.3.3 required for that release, so you should be okay).

--
If you have a problem, please search before posting a question.

Arkar’s picture

Arkar commented

PHP Version 4.3.2

Arkar’s picture

Arkar commented

Trying to upgrade my php version to see if it is the problem.

mwheinz’s picture

mwheinz commented

and I am not having this problem.

What's the difference between your user module and the 4.6.6 one? Did you modify it?

The patch to user.module is the addition of 4 lines related to generating a session id.

Arkar’s picture

Arkar commented

Did not modify it. I am using the official code. The only difference are the four line of code. And i still get the problem.

stillnobodyknows’s picture

stillnobodyknows commented

I've just upgraded my drupal from 4.6.4 to 4.6.6 and have the same problem.When a registered user attempt to log in , it seems on admin panel as "logged in" but user isn't. Any ideas?

Arkar’s picture

Arkar commented

I suggest you switch user.module to 4.6.5 version until we find a solution.

laura s’s picture

laura s commented

Any help if you empty/truncate the sessions and cache tables?

Laura
_____ ____ ___ __ _ _
pingVision, LLCBlogHerrare patternscattered sunshine

_____ ____ ___ __ _ _
Laura Scott :: design » blog » tweet

catastrofus’s picture

catastrofus commented

Yep, in my case it solved the login problem.

Gert

Arkar’s picture

Arkar commented

Did not work for me.

bonobo’s picture

bonobo commented

My upgrade process:

1. Read the patches; see that they affect the the following files:

  • common.inc
  • menu.inc
  • book.module
  • user.module
  • xtemplate.engine

2. Upload the new files listed in step 1.

My environment is:

MySQL 4.1.14
PHP 4.4.1
Apache 1.3.34

If you are having the problem mentioned in this thread, please post back with your operating environment, as that will help to troubleshoot the issue --

Cheers,

Bill

-------
http://www.funnymonkey.com
Tools for Teachers

-------
http://www.funnymonkey.com

venkat-rk’s picture

venkat-rk commented

Just wondering if simply overwriting these files in my 4.6.5 install with the new ones from 4.6.6 will upgrade the site? Is this a good way to do it?

bonobo’s picture

bonobo commented

on seven different sites.

But, as always, your mileage may vary :)

In all seriousness, I'd love to get feedback on this method. I arrived at this process after reading through the text of the patches and seeing what files were affected.

It's possible that there are small changes in other modules/files that aren't critical, and therefore aren't reflected in the patches.

But, based on what the patches do, these changes should address the security issues.

Cheers,

Bill

-------
http://www.funnymonkey.com
Tools for Teachers

-------
http://www.funnymonkey.com

venkat-rk’s picture

venkat-rk commented

Thanks for responding so quickly. Since I have dba module sending me regular backups of the database and also have file backups, this seems an easier way of doing things.

I am going to try this out tomorrow to see how it goes.

Thanks again.

rjung’s picture

rjung commented

I patched three sites, no problems.

--R.J.
http://www.electric-escape.net/

--R.J.

tesla.nicoli’s picture

tesla.nicoli commented

I think the problem is that the session id is not being explicitly set as shown in the documetation. 

      $old_session_id = session_id();
     session_regenerate_id();
      db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);

      session_start();
      $old_session_id = session_id();
     session_regenerate_id();
     $new_session_id = session_id();

      db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", $new_session_id, $old_session_id);

This might also be because the session cookie does not change in 4.3.2 but it does change in 4.3.3.

I might be helpful to know if you are running windows also.

stillnobodyknows’s picture

stillnobodyknows commented

Thanks a lot ! After your suggestion my Drupal site works very well.

Arkar’s picture

Arkar commented

This does not work for me.

peterthevicar’s picture

peterthevicar commented

Had the same 'can't log in' problem with upgrade from 4.6.4 to 4.6.6
I narrowed it down to the 4 line change in user.module.
The fix with $new_session_id made it work.

peterthevicar
drupal site: http://www.lymingtonchurch.org
php 4.3.2

Dublin Drupaller’s picture

Dublin Drupaller commented

that worked for me..nice one.

Dub

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

ProgressiveBastion’s picture

ProgressiveBastion commented

I opened my user.module and could not find any <?php> tages in the vicinity of the above example. But everything looks in my user.module just like above before the fix. Are the
tags suppose to be added I wonder? What I mean is should I nest a new set within the tags that all the info of this module enclose. I guess I can try both ways...

PHP version 4.4.2, MySQL ver. 4.1.18-standard, Apache version 1.3.34 (Unix)

peace to all beings, Michael S.
ProgressiveBastion.com

Yup, I'm Liberal... Liberal lib~er~al (lbr-l, lbrl),

laura s’s picture

laura s commented

* knock wood *

6/6 sites so far, without a hitch. (Although I have to keep rewriting the file paths as "cvs" does not figure in the installs I have. I'm sure I'm missing some obvious *nix option to avoid all that typing.)

Edited to add my "duh" moment: proper syntax:

patch -p0 < 4.6.5.patch

I will now take my learning curve back off-line.

PHP 4.4.1. MySQL 4.1.14.

Laura
_____ ____ ___ __ _ _
pingVision, LLCBlogHerrare patternscattered sunshine

_____ ____ ___ __ _ _
Laura Scott :: design » blog » tweet

giuseppe@www.rebelsoft.org’s picture

giuseppe@www.rebelsoft.org commented

The second patch give me this "error"

[giuseppe@earth drupal-4.6.5]$ patch -p0 < ../4.6.5.patch
(Stripping trailing CRs from patch.)
patching file includes/common.inc
(Stripping trailing CRs from patch.)
patching file modules/book.module
(Stripping trailing CRs from patch.)
patching file themes/engines/xtemplate/xtemplate.engine
[giuseppe@earth drupal-4.6.5]

Is it normal? :-(

Thanks

giuseppe@www.rebelsoft.org’s picture

giuseppe@www.rebelsoft.org commented

Solution

mwheinz’s picture

mwheinz commented

A little late, since you solved the problem, but:

If you sent the patches to your site as ASCII file via FTP, it might have added the CRs.

nemu’s picture

nemu commented

I tried to update my two drupal sites running 4.6.5 by downloading the tarball and then just replacing the affected files,

common.inc
menu.inc
book.module
user.module
xtemplate.engine

After that was done I tried to log in to the page but it didnt work, the site went blank and the url turned www.example.com/en/user/login?destination=user
(yes, i'm using i18n)

I cleared the sessions and cache tables and local cache of browser and tried to open the homepage but this time nothing happened at all (page went blank). I'm using phptemplate instead of xtemplate so I also downloaded the engine file from CVS but without any improvements.

So I uploaded the old menu.inc file and now I can see the site again, but not log in (same error as before).

Any tips what it can be?

Edit:
One of the sites was successfully updated! But it is not running i18n module. Both are on same server environment though.

---
Running Apache, PHP 4.4.1, MySQL 4.0.24

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

Try re-running the patches in the il8n/patches directory and see if that solves the problem.

crunchywelch’s picture

crunchywelch commented

The user.module patch prevents login on several sites I have. I will investigate more, but for now I am using the unpatched version.

rar’s picture

rar commented

I confirm this with an interesting twist. In working with one user, although clearing their browser's cookies, cache, and rebooting did not solve their problem. Installing Firefox and using it instead of IE version 6 allowed them to login.

Server:
PHP: 4.4.0
MySQL: 4.1.13

Arkar’s picture

Arkar commented

I use firefox and it doesnt change anything.

gottsman’s picture

gottsman commented

FYI... Experiencing the same problem with the 4.5.8 release. Backing off to the previous 4.5.7 user.module works fine.

I upgraded my php version after reading the previous posts. It was previously at 4.3.2. Still getting the same results.

Specs:
RHEL 3 ES Update 7
Apache 2.0.46
PHP 4.4.2
MySQL 4.1.16

mkpaul’s picture

mkpaul commented

Same problem here too... php version 4.3.2.
Reverted to old user.module and now i am able to login.
Is there a security problem if i am using the old user.module?

Arkar’s picture

Arkar commented

Could someone please help with a solution with this issue please or tell me what can i do. I understand there is security issue in this case it is important. Where can i file a bug ?

mrb’s picture

mrb commented

Apache version 1.3.34 (Unix)
PHP version 4.3.11
MySQL version 4.1.13-standard-log

The edit shown above re session_id did not help.

I have copied in the 4.6.5 user.module as a temporary fix.

Dublin Drupaller’s picture

Dublin Drupaller commented

I'm having the same problem. Has anyone raised an issue/bug for this?

It's a showstopping bug.

Dub

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

tannoiser’s picture

tannoiser commented

Hi.

For what I can say, i hit this bug when use php 4.3.2 (on some hoster).
The solution is posted before here:
http://drupal.org/node/53838#comment-101856

You have to:
* verify which php version is
* apply the suggested fix

Hope this help.

cbdebris’s picture

cbdebris commented

PHP 4.4.1
Linux 2.6.9-22.0.1.ELsmp
MySQL 4.1.14
Apache 1.3.34

Followed the documentation to perform the patch. Can't log in and neither can anyone else trying to use the site. Flushed the tables. Nothing. Tried putting back the affected .module pieces (4.6.5 modules). Still doesn't work.

I suppose if I were a programmer I would know what to do with PHP -- but I don't. I hope a fix appears soon because I've decided to go back to 4.6.5 and take my chances.

clauz’s picture

clauz commented

I have 2 clean Drupal 4.6.6 versions: one locally with Windows + IIS + PHP 4.4.0 and then one on the hosting wich has Unix + Apache...

Online I was able to create account and log in wihout any patch nor anything.

Locally, I was not able to login, nor to fix it with any of the things/solutions I have read on the forums.

Any thoughts?

Clauz
---------------------------------
http://www.clauz.com.ar
...I am going through A Momentary Lapse of Reason...

kb5ql’s picture

kb5ql commented

We were definitely experiencing the same problem. Since we're locked into PHP 4.3.2, the latest user.module 4.6.6 code with the session_id() caused problems. Our workaround was to create a custom block that only shows up on:

http://<yoursite>/user
http://<yoursite>/user/login

pages. Please note that this will not work if you use the user_block (mini-login). I would recommend you disable that and create a custom block that takes users to the generic login screen. This also requires that javascript be active in the users' browser.

<script language="JavaScript" type="text/javascript">
   function DestroyCookie() {
      document.cookie = "PHPSESSID=;path=/;expires=Thu, 01-Jan-1970 00:00:01 GMT";
     // alert("Session ID destroyed. You may now login.");
   }
DestroyCookie();
</script> 
<noscript>To login, Javascript needs to be enabled.</noscript> Login with your username and password.

I implemented this because I didn't feel like patching the core knowing that a fix will likely be out sometime soon.

The other option is to simply comment out the following three lines in the user.module:

(somewhere around lines 816-818)

      $old_session_id = session_id();
      session_regenerate_id();
      db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);

but then you're bypassing the security patch update.
--
Michael Jelks
http://www.planetizen.com
http://www.zaftig.net

flatcap’s picture

flatcap commented

I'm using drupal-4.7.0-rc3, but only php 4.3.2.

You say that these three lines cause the problem:

    $old_session_id = session_id();
    session_regenerate_id();
    db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);

Commenting them out certainly fixes the problem. However you say that was a security fix.
Checking on php.net, in php 4.3.3 session_regenerate_id() sets a new cookie, where 4.3.2 doesn't.
I need someone knowledgeable to confirm this, but it sound like all we need to do is run session_start().

    $old_session_id = session_id();
    session_regenerate_id();
    session_start();
    db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);

This works for me.

FlatCap (Rich)

kb5ql’s picture

kb5ql commented

I failed to mention that you need to make sure that this block ONLY shows up on the:
user
user/login

pages. Don't enable this block until you set those parameters, otherwise you won't be able to login as your cookie will be destroyed on each page load. If this happens, you will have to remove the block manually from the database in the 'boxes' table.

--
Michael Jelks
http://www.planetizen.com
http://www.zaftig.net

geme4472’s picture

geme4472 commented

Pulling out hair. I too am struggling with this bug, and I've got some serious deadlines which will see me working through this weekend (ugh!).

Does anyone know when this might be fixed? I can't seem to get the other two examples in this thread working [the ones with session_start();], but obviously if I take out the security fix--and therefore the security--everything is dandy. Is there an issue opened for it?

THANKS!

legacyb4’s picture

legacyb4 commented

Commenting those three lines out did the trick.

Hope there is a patch coming out soon that will address this issue.

Cheers.

ProgressiveBastion’s picture

ProgressiveBastion commented

I commented out the 3 lines (lines 815-819, just to make sure ;-) ) and tried the fix. It didn't work.

I then used Firefox and looked around my cookie area. Yet for some reason my domain progressivebastion.com was blocked Privacy--> Cookies--> allowsite to set cookies (yes)-->exceptions. Even though 2 weeks ago I explicilty set it to accept. HMMMM! It was set to block (on my own domain). Very Interesting! I cleared the block and then set the domain to allow which I did 2 weeks ago, and it then worked!

So it worked! But, how the heck did it change my permissions on cookie exceptions is what I want to know? Well it looks like just below this post their is a reference to a Patch. I'll be back after I get it patched & if I have anything to report other than failure.

PHP version 4.4.2, MySQL ver. 4.1.18-standard, Apache version 1.3.34(Unix)
Hosted by OpenSourceHost.com a truely professional crew...

peace to all beings, Michael S.
ProgressiveBastion.com

Yup, I'm Liberal... Liberal lib~er~al (lbr-l, lbrl),

goose2000’s picture

goose2000 commented

I read all through these, no patch worked for me (not sure if I applied it right?). But the guys who were looking into the user.module around this sessions area are on to the right path for a true reason and fix:

$old_session_id = session_id();
//session_regenerate_id();
db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);

Anyways, I just commented out //session_regenerate_id(); and then it worked fine!
What does that funtion do? How can it be reviewed / fixed?

To recap, I am using:

Windows 2000 IIS
PHP 4.4.2
MySQL 4.0.21

Drupal 4.7.2 ! Yeah!

heine’s picture

heine commented

session_regenerate_id() [snip]
What does that funtion do? How can it be reviewed / fixed?

session_regenerate_id is a php function that generates a new session id to prevent session fixation attacks [PDF].
--
The Manual | Troubleshooting FAQ | Tips for posting | Make Backups! | Consider creating a Test site.

DaveC426913’s picture

DaveC426913 commented

Thanks for that, Goose. Your fix worked for me too! Here's to hoping it doesn't cause any further problems downstream.

crunchywelch’s picture

crunchywelch commented

http://drupal.org/node/60584

Bevan’s picture

Bevan commented

This is only a problem for me in IE if I login as one user, then log out, and log in as another user. Only in IE. FF is fine. My solution is to leave user.module as is -- for security, and delete cookies when the bug comes back. Other users on the site don't have more than one user. I do.

http://lucion.com.ar

Bevan/

ProgressiveBastion’s picture

ProgressiveBastion commented

The above says it. I logged off after I patched & then was able to do a admin log-in, very cool! Thanks everyone for the help, I'm definitely glad you guys are here. Where would some of us be if not for your folkes effort? Now where...

PHP version 4.4.2, MySQL ver. 4.1.18-standard, Apache version 1.3.34 (Unix)
Hosted by OpenSourceHost.com a truly professional crew...

peace to all beings, Michael S. of
ProgressiveBastion.com