Users have been experiencing a situation where attempting to login to Drupal brings you back to the login page without an error message; checking the watchdog (with an already logged-in admin account) reveals that the attempted login is recorded although the user is unable to proceed beyond the login page.

Clearing cookies or otherwise killing the anonymous session makes it possible to login.
My approach to fix this problem applies a edit the the authentication function by adding a command to regenerate the session ID after Drupal verifies the username/password and just before it attempts to change the user's status to logged-in (see the code below).

-------------------------------------
function user_authenticate($name, $pass) { global $user;

// Try to log in the user locally. Don't set $user unless successful.
if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
session_regenerate_id(); //iDonny added this to create a new session ID
$user = $account;
};
-------------------------------------

The existing code seems to have a regenerate command before authentication, but it does not seem to prevent this issue, and disabling the preceeding 3 lines does not make a difference.

I would like to have this fix applied to the existing download of Drupal and a patch generated for current installations. Below is a list of related support topics caused by this bug.

http://drupal.org/node/55364
http://drupal.org/node/45913
http://drupal.org/node/19835
http://drupal.org/node/55364
http://drupal.org/node/30908
http://drupal.org/node/6696
http://drupal.org/node/64394
Detailed description of my solution: http://www.cmsproducer.com/drupal-login-session-cookie-without-error
Attached is a fixed copy of the user.module file (zipped) from the Drupal 4.7 code

CommentFileSizeAuthor
#2 user_module.patch767 bytescmsproducer
user.zip23.84 KBcmsproducer

Comments

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Reviewed & tested by the community » Needs work

Please post patchfiles, instructions are at http://drupal.org/diffandpatch.

We don't put personal attribution in code; the patch author(s) is always cited in the CVS log message.

cmsproducer’s picture

cmsproducer commented
Status: Needs work » Needs review
StatusFileSize
new user_module.patch767 bytes

Sorry about the attribution, I just pulled the code right of my installation where I normally comment any changes with my name to avoid trouble when I upgrade.

I have cleaned-up the code and created a patch file.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Needs review » Needs work

Some minor nits.... I have not tested this patch because I can never duplicate the problem everyone always talks about.

don't bother with the // 3 lines deleted here .. people can look up the diff in cvs
don't bother with the empty line before global $user, for consistency
the whitespace is off .. lines should be intended 2 spaces, looks like there's some tabbing going on or something.

cmsproducer’s picture

cmsproducer commented

The patch has evolved
I modified it a little after Dries pointed out that I had neglected to store the new Session Id in the DB. Please refer to the more detailed and upto date parallel issue at; http://drupal.org/node/60584

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Needs work » Closed (duplicate)

OK, marking this one as a dupe of http://drupal.org/node/60584 then. Thanks!

mountain girl’s picture

mountain girl commented

hi iDonny,
have not had success with your fixit. running 4.7
problem persists with both ie and ff.

cmsproducer’s picture

cmsproducer commented

A patch has been posted/updated:
Beginning entry #46 of http://drupal.org/node/60584 and after if there are any subsequent updates to the patch.