Hello, I am new to Drupal and I'm having trouble figuring out my log in problem. I have a successful install on a local network server. Apache 2.0.46, PHP 4.3.2, MySQL 4.1.10. I am having troubling with session cookies. So far I have discovered:

  1. When I first come to the login page, a PHPSESSID cookie is set. This id matches the sid for uid 0 in the sessions table. I see that uid looks like an anonymous user that is created when I create my admin user (uid 1).

  2. If I try to log in as admin with the correct password, the watchdog table reports I have successfully logged in, but the PHPSESSID returned after the login event is the same as the sid for the anonymous user. At this point, I have two sid's in the sessions table. One corresponding to uid 1, and one corresponding to uid 0. If I change my local cookie PHPSESSID to match the sid from the sessions table, I am successfully logged in as admin.

  3. If I logout, my PHPSESSID cookie remains.

  4. When I return to the login page, even with a PHPSESSID cookie that matches an existing sid for uid=1 in the sessions table, I am unable to login. My PHPSESSID cookie is reset with a new 'anonymous' session id when I attempt to log in.

  5. When I go to the login page without a cookie, an 'anonymous' PHPSESSID cookie is set. If I delete this cookie and then attempt to login, I am always successful. The same if the existing cookie corresponds to an session for uid=1.

  6. I have put some var_dump()s and printf()s to see what queries are being run and what the values of $user->uid are. Here are my findings:

    • When I log in, the $user->uid in modules/user.module is correctly reported as uid=1 in the user_login() function. However, by the time includes/session.inc is run, $user->uid is reported as 0 in sess_write().

  7. My current configuration settings:

    $base_url = 'http://10.8.4.17/drupal';
    ini_set('arg_separator.output', '&');
    ini_set('magic_quotes_runtime', 0);
    ini_set('magic_quotes_sybase', 0);
    ini_set('session.cache_expire', 200000);
    ini_set('session.cache_limiter', 'none');
    ini_set('session.cookie_lifetime', 0);
    ini_set('session.gc_maxlifetime', 200000);
    ini_set('session.save_handler', 'user');
    ini_set('session.cookie_domain', '10.8.4.17');
    ini_set('session.cookie_path', '/drupal');
    ini_set('session.use_only_cookies', 1);
    ini_set('session.use_trans_sid', 0);

I've not been able to find much searching these forums except a handful of people with similar problems, but no real fixes that seem to work for me. Thanks in advance for any help getting this sorted.

kgt

Comments

kgt’s picture

I should add that I have found this to happen for both IE and Mozilla (haven't tried any other browsers).

I have found mention that 'localhost' as a host might/will cause problems. Is there any reason setting the host as an IP address might cause this problem?

Any other ideas for getting to the bottom of this?

ikioi’s picture

I've got the same issue, similar setup. Login just cycles back to the page unless cookies are deleted, and then it will login. But, if you logout, situation repeats itself.

Anyone help?

tjharman’s picture

Why don't you put a static entry in your hosts file for your site, call it test.dummy.com or something. You'll need to then change your druapl settings file and probably also your webserver to recognise this vhost.

See if that fixes the problem for you. Then you'll know it's a problem with accessing Drupal via an IP address.

I realise this doesn't help fix the problem (which I have no idea about) but it might help track down if it's IP address related or not.

ikioi’s picture

He may be running on localhost, but I'm running a professional colocated server (Ensim Pro, RHEL, Apache 2, PHP 4, Mysql 4), and am having the same problems. Nothing at all wrong with the IP/DNS here.

ikioi’s picture

Ok, here's the VERY ugly temp fix:

in PHP.INI:

session.use_cookies = 1
session.use_trans_sid = 1

in /sites/default/settings.php:

ini_set('session.use_cookies', 0);
ini_set('session.use_only_cookies', 0);
ini_set('session.use_trans_sid', 1);

In other words, move the PHPSESSID to the URL. Once you wipe out all your cookies, and go with this, it will all work fine. Yes, it looks like crap. Yes, your urls will look like crap in search engines as well. But, it does work.

EDIT: I added the ini_set('session.use_cookies', 0); and changed both the PHP.INI to 1 because we also run Moodle with the Moodle integration module for Drupal. If you turn off cookies completely, Moodle will fail. So, by using these settings, Drupal will use the URL, and Moodle will use cookies. All I need now is a clothes hanger and ducttape and I have a real patch job going here. :)

Now, if someone can, how do we fix this problem and go back to cookies? The problem seems to be with cookies not being properly removed on logout or removed on attempted login. (Cookie reading should be ignored on login, and then removed/replaced upon success, right?) A fix is MUCH appreciated as this is a production site.

Gribnif’s picture

I was able to fix this problem simply by upgrading PHP. I had been using 4.3.2, but switching to 5.1.2 immediately fixed it.

tma0’s picture

I had similar problem.

function sess_write($key, $value) {
...
  db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, $user->cache, $_SERVER["REMOTE_ADDR"], $value, time(), $key);
...

Function sess_write never updated {sessions} table due to collating of mysql (4.1.15) database - I had utf8_czech_ci. When I changed to utf8_general_ci or utf8_bin it works. It seems that WHERE does not work correctly or there is a trick how to persuade mysql server to use indexes as wanted. Note I added also 2 lines to database.mysql.inc

function db_connect($url) {
....
  mysql_query("SET NAMES 'utf8';");
  mysql_query("SET CHARACTER SET 'utf8';");

Tomas

cmsproducer’s picture

The problem is caused by the anonymous cookie string being used after you login. To solve the problem of Drupal not logging in and not giving an error message, in the user.module file in the modules directory, edit the lines 947 - 954 in the user.module of version 4.7 contains the function that authenticates users and creates a $user state variable.

function user_authenticate($name, $pass) { global $user;

// Try to log in the user locally. Don't set $user unless successful.
if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
session_regenerate_id(); //iDonny - create a new session
$user = $account;
};

By regenerating the session ID, you will drop the anonymous ID and pick a new one for the logged in session You can see the detailed solution to this common bug by checking this Drupal resource.

-----
iDonny - Web Content Management System Design, Development. & CRM

naudefj’s picture

Please submit a patch so this issue can be fixed.

cmsproducer’s picture

Rosamunda’s picture

The patch didn´t worked for me...
I simply cannot make this thing work after 4.7.2 update...
But I can login using FF....

cmsproducer’s picture

I think that someone has continued work on the patch; but if you need to bypass the problem, instead of loggin in from the login box, user domains.com/user and login from there.

It will not manifest that problem. A neat walk-around if to shut off tht box alltogether and put a login link that calls /user for everyone

-----
iDonny - Web Productions: Web Strategy, CMS Design, Branding, & Production

adammichaelroach’s picture

I was having the double login problem under FF and IE wouldn't take a login at all. The following steps I made to correct the problem. I will be doing heavy testing on the site to ensure this works properly and follow up with any other issues. It also works with caching enabled (it was suggested to disable).

Site hosted through A Small Orange www.asmallorange.com
PHP version 4.4.2
MySQL version 4.1.20

Modified .htaccess to redirect from example.com to www.example.com
Modified settings.php for $base_url to point to www.example.com
Modified user.module to reflect the following

<?php
user_module_invoke('login', $form_values, $user);
//Silencing the next 3 lines and moving their actions lower after authentication
// $old_session_id = session_id();
// session_regenerate_id();
// db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);
}
}

function user_authenticate($name, $pass) {
global $user;
// Try to log in the user locally. Don't set $user unless successful.
if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
// next 3 lines: once authenticated, assign variable, regenerate the session ID, and update it in the DB
$old_session_id = session_id();
session_regenerate_id();
db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);
$user = $account;
};
?>
patchak’s picture

I think I have the same problem, is this solution still working on 4.7.3??

Thanks

tated’s picture

I just need to log in successfully right now, I'm not worrying about a permanent patch yet.

In the past we have (my colleague has) been able to manually delete cookies and we've gotten in through the back door. Now I'm trying to do the same and it ain't working. here's what I'm doing:

0) I clear browser cache and cookies, close window.
1) reopen browser, navigate to site, attempt login, get blank screen
2) copy browser cookie SID
3) log into mysql, then

mysql> select * from sessions where uid = 1; 
[Output, etc]

mysql> delete from sessions where uid = 1 and session like 'message%';
Query OK, 2 rows affected (0.00 sec)

mysql> update sessions set sid = 'browser cookie #' where uid = 1;
Query OK, 0 rows affected (0.00 sec)
Rows matched: 0  Changed: 0  Warnings: 0

mysql> commit;
Query OK, 0 rows affected (0.00 sec)

mysql> quit;
Bye

Everything looks right, then I refresh the page in the browser, get a couple more blank screens, then finally get dumped back at the login page. Why isn't the back door trick working for me anymore?

can anyone help me out?! going slightly insane...