Improve forced www/no-www .htaccess rule to pass along paths.

can you use the firefox live http headers extension to capture the http headers sent back and for this process?

bsimple: I'm only going to address your liveheaders, because that's the only thing concrete, quote unquote. In this particular case, there are three sessions and cookies getting created. Before I go on - you say that, sometimes, when you login to the site, you'll login and get redirected back to a page where the username and password box are still there? Next time that happens, without doing anything else, hold down the Shift key and click the Refresh button on your browser. I suspect that your browser is loading the cached ("I'm not logged in") version of the page you logged in from and, when Drupal redirects you back to that location, your browser dutifully loads the cached version, making it appear you're not logged in. A shift-refresh will force a real retrieval of the page. I've had this happen to me before, and a shift-refresh always shows me that I'm properly logged in.

Now, your liveheaders. First off, note the very first line "http://www.example.com". This starts our first series of requests, with the PHP sessionID of 3fd8053e826998653f35324a0ff725bc, which the browser accepts and starts sending with future requests (as seen in the Set-Cookie/Cookie lines of the request/response). The first problem occurs when the user logins - look for "POST /?destination=node%2F4 HTTP/1.1". The user is logging in under "http://www.example.com", but the site redirects the user to "http://example.com/node" (the Location: line). This tells me that your settings.php has "example.com" (no-www) as a base_url. To a browser and, more importantly, to sessions and cookies, "http://www.example.com/" and "http://example.com/" are NOT the same thing. Logging in under example.com will NOT allow you to use www.example.com, and vice-versa. And, if you auth under example.com, then later auth under www.example.com, that will log you out of the example.com session (I *think*).

While I have not tried it myself, I've heard whisperings that something in 4.7 is supposed to make this "better" somehow, simply by NOT setting the base_url in your settings.php (so that Drupal determines the base_url based on the client's request, not the admin's wishes). I'm not sure exactly what it does, but it's on my todo list to try on disobey.com (which is also hosted at Site5).

With all that said, it gets a little more confusing. The next time the session/cookie changes is again with a "POST /?destination=node%2F4 HTTP/1.1" (where it changes to 9358ca6b8bff6f23a3d28b453b178423). As we can see in the payload (the line after "Content-Length"), the client is again logging in (Incidentally, you were right - you sanitized everything but the password of the user, which is now available in cleartext. You'll want to change the password.). Now, generally speaking, a session/cookie IS SUPPOSED to change when you go from an anonymous user (one state) to an authenticated user (another state). However, it is unclear to me why this is actually happening (ie. if we already logged in successfully on the first request, where is this second login coming from?). So, I go back and I look at the first login attempt (the first match for "POST /?destination=node%2F4 HTTP/1.1).

I notice two things: PHP is setting two cookies, the first being your anonymous (presumably) cookie and the second being an authenticated one (presumably): Set-Cookie: PHPSESSID=3fd8053e826998653f35324a0ff725bc; expires=Sun, 09 Jul 2006 13:02:33 GMT; path=/. Set-Cookie: PHPSESSID=f56521d9d7cdd94c8c9b26318f08e0b7; expires=Sun, 09 Jul 2006 13:02:33 GMT; path=/. And then a third cookie is actually set shortly thereafter (d0f6562482d6e9d3f3d31955d4ba1ee8). I think the key here is the fact that a server error happened somewhere - the only thing I can think of is that you entered the wrong password or something Bad Happened (right after the client's POST request, it issues a GET to /node which gives an Access Forbidden error, as evident by the server's HTTP/1.x 403 OK response).

So, long story short: some of it I can explain, and some of it I can't. The stuff I can't explain doesn't mesh up with reality (why a 403 response?). If you could, do the following for me: a) attempt to duplicate the "I login and then get sent to a page with the username/password block again" problem and b) shift-refresh the page when that happens, to see if the box goes away. Then c) clear all your cookies and cache and d) do everything all over again, again attaching your liveheaders, so that we have something of a comparison.

bsimple: good to hear. One thing I'd like you to try is, and this will only work if you're using 4.7, to comment out the base_url in settings.php entirely and try your tests again. I'm curious to see if, and how, the double login stuff works. And, yes, as you've suggested, this is a widely reported problem, and we have taken steps to make this an admin choice in 4.7. The first one is what I want you to test - leaving the base_url commented (preceded by a # or a //, your choice). The second is actually included in the documentation for base_url:

* You might also want to force users to use a given domain.
* See the .htaccess file for more information.

See, the way you've fixed it, the problem now exists in reverse - if someone typed in JUST example.com, they'd login, get redirected to www.example.com, and the double login problem rears it's ugly head again, with the same security ramifications. To *force* your users to *always* go to www., you have to do it at a higher level than Drupal - via the webserver. The .htaccess facilitates this and requires Apache's mod_rewrite. A (partial) spit from that file:

# If your site can be accessed both with and without the prefix www. you
# can use one of the following settings to force user to use only one option:
#
# If you want the site to be accessed WITH the www.
# only, adapt and uncomment the following:
# RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
# RewriteRule .* http://www.example.com/ [L,R=301]

The only additional and "major" overhead caused by the .htaccess is when and if you are using mod_rewrite. And, based on your data, you ARE already using it (with Clean URLs) so adding that additional rule is not causing any overhead at all. Granted, things would be faster if this was done in the httpd.conf file (which I know you don't have access too), but we're looking at a really small measure here - milliseconds under thousands of hits a minute. I wouldn't worry about it.

From a technical standpoint, the safest best is probably leaving the base_url commented. That is the Future For settings.php, and you'll find that happening in a lot more places than you will .htaccess modification (which is often hidden to non-technical users, and is full of uberdygooberdy). It also presumes that a) you can use .htaccess files on your server and b) you can use mod_rewrite. Site5 naturally passes both those tests, but a lot of hosts don't (as evident by a simple Google search for Drupal sites not using clean URLs).

From an opinionated standpoint, I will *never* use a "no-www" to "www" redirect. I don't buy into this crazy fad about no-www being better for the web, design, and what have you. It's just crank pot theory. I prefer to allow my users to use my site with, or without, the www, so I'd never do a forcing. Now that you've done my work for me (I have been lazy about trying out the commented base_url for a bit now), I'll be commenting that out myself shortly to solve a similar problem for disobey.com (for me, I try to *always* link to www.disobey.com, but I nearly *always* type in my address as "disobey.com", so I get the dual login problem frequently enough too).

Finally, issue-wise, I think I'm going to close this under a "by design" status.

Leaving as active, updating issue title.

http://drupal.org/node/60584#comment-109134

Not only is this a security hole, but it can break logins because of cascading cookies.

Morbus, the anomalies you found in the first batch might also be caused by this cookie dominance... even if a user goes to www.site.com they'll still get the site.com session. session_regenerate_id() will change the session id in the database and also send a cookie for www.site.com, but when the user is forwarded to site.com, the site.com cookie session id will be used over the www.site.com session id. Once a user has both cookies, they MUST be logged in under site.com for their session to work anywhere. Even though www.site.com gets the cookie and can log in under that same session id, when the id is regenerated the new id will be sent to a www.site.com cookie. In this case, the www.site.com cookie-session can never be logged off, only regenerated (even though it will appear that www.site.com is logged off if the site.com session cookie is anonymous)

setting to critical because having a site.com base url will mean any log in under www.site.com cookie cannot be logged out of.

By simply deleting the site.com cookie another user of the computer can gain access to the logged in www.site.com session cookie.

If this concerns you, there are already two ways of solving the problem as described above. This report is now for a separate issue entirely.

Anyways, looks like the other issue you've linked to is more relevant/detailed.

Ok then. Well the feature here is really a solution to the issue for some people. +1 on the rewrite code bsimple provided in #6.

Sorry for the excitement and not thinking out the posting, I'd been up all night

Feature request moving to cvs.

This was fixed a long time ago. #109150: RewriteRule for 'www.' always redirects to the front page