Access denied when logging in

I use a common domain like example.com ny.example.com la.example.com and I am using shared cookies so users can login across domains.

Currently my cookie domain says "$cookie_name = 'example.com';" without the star or period before my base domain --- is this what is causing the issue?

They log in succesfully but are taken back to user/login page which of course gives then an access denied message.

I am using Login Tobaggan to allow users to sign in with their email addresses and nothing else that I can think of.

Disabling the module doesnt seem to fix anything. I think something else must be causing the issue. Its really strange since I can only see the access denied errors in my logs and cant seem to run into it myself

I have methodically worked back to a default drupal 6.17 install, but, nothing to report.

I meant cookie domain. Mine is currently '.example.com'

Hi,

I just ran into this same problem. I had my cookie_domain set to "www.domain.com". To fix it, I simply commented out the cookie_domain setting since it didn't seem to be necessary for my particular configuration.

Note I also had to clear the cache on my local browser to fix some subsequent errors returned by the securepages module.

Well, i fixed it by checking the settings.php

In my case i had $cookie_name = 'example.com' without a dot in front of domain.
changing it to $cookie_name = '.example.com' and clearing cache and cookies in browsers fixed the problem.

The strange thing is that i used it without a dot for more than a year and only now it made some troubles.

My cookie name is correctly set to '.example.com' but I am still getting this error for some of my users.

They are logged in but for some reason it sends them back to the login page right away which shows an access denied message since they are already logged in.

OK I think there is a lack of proper communication/explanation/understanding here. As agentrickard states, this issue is not coming from DA core. When one accesses a Drupal site for the first time, Drupal core creates a session cookie so that the user's browsing session can be managed & tracked by Drupal core and contributed modules. This session cookie exists even before a user logs into the Drupal site. I would say the first thing to do would be to ensure that the browser is not rejecting/blocking this session cookie before making any attempt to log in.

If the browser is accepting the session cookie then the next step would be to confirm the behaviour that occurs when one logs in. By default, when one logs into a Drupal site (whether or not DA module is installed) Drupal core validates the login information and, if verified, updates the session information and redirects the user to their user profile page. Now, there are modules (i.e. Login Destination, LoginToboggan) which allow you to override this default redirection behaviour and specify a different page to redirect to after Drupal authenticates a login.

Also, and again, this is a Drupal core behaviour, not a DA module behaviour, Drupal sets the domain for the session cookie to whatever domain is being used to access the site, UNLESS you specify a value by setting the $cookie_domain value in settings.php. So, when using DA module and say you have four domains configured, say example.com, one.example.com, two.example.com and three.example.com, then you MUST set the $cookie_domain variable to .example.com in order for the session cookie created to be available across each of these domains, no matter which domain you login from. So, if you decide to instead set $cookie_domain to say example.com, i.e. without the leading dot, and you attempt to login from two.example.com then the login WILL fail and you will be redirected back to the user login form on that domain. Why? Because a cookie created for example.com is NOT available at two.example.com UNLESS the cookie value is .example.com (put simply, the leading dot makes sure the cookie is available on example.com + ALL subdomains of example.com).

If of course you do not set $cookie_domain to any value then as I eluded to before, when you access one.example.com Drupal core creates a session cookie for the domain one.example.com, when you access two.example.com, it creates a session cookie with a domain value of two.example.com, etc. These cookies will therefore each be domain-specific which means if you login at example.com you will still have to login at one.example.com too because example.com's session cookie will not be available on one.example.com's session cookie.

So, having said all that, the solution to this issue is simple:

1) Make sure that the browser is accepting cookies from Drupal in the first place, i.e. from the first entrance into the Drupal site (the name of the cookie should follow the standard PHP session variable naming convention since Drupal uses PHP's built-in session handling, so it will probably be something like SESSa495ff..... or SESS...whatever).

2) Check if the site has any Login redirection modules installed/configured to redirect users after logging in.

3) Make sure you set the $cookie_domain variable in settings.php to ensure that logins to the site are "propagated" across the domain and all subdomains, so you only have to log in to one domain to be logged in to all.

I really don't think there's any more explanation that can be given than this. Hope all of what I've said makes sense. All the best with tracking down the source of your issue.

not really a fix, but one possible solution can be found here http://drupal.org/node/838768

Then I suspect they don't accept cookies.

as mentioned http://drupal.org/node/824548#comment-3156680 it's not really a fix, but handles the situation more elegantly i.e. the users don't see access denied error but they are gracefully taken to the home page of the site.

I think that this problem relates to Drupal core upgrade from 6.16 -> 6.17 because all my multisite -sites, which had cookie domain set as "domainname.com" without leading dot, went bust. I would recommend to somehow notify users about these changes (at least I didn't notice any info about this before upgrading to 6.17) because all these blown sites definitely affect on Drupal's general reliability.

If someone else wanders here and is affected by the same problem as my sites, the solution was either

• disable cookie domain from every site's settings.php or
• add a leading dot to domainname in settings.php like ".domainname.com"

adding a leading dot (.) does not solve the problem for me and I cant comment out the cookie domain line or my users wont have access to other subdomains on my site

@str1, avoiding the problem you faced is in fact documented in the DA module INSTALL file so IMO that does not reflect on Drupal's general reliability or DA's module reliability.

As for the problem being discussed in this issue I suspect the source of the issue is related to either improper permissions settings, prohibitive browser cookie settings or incorrect $cookie_domain value in settings.php.

I've used DA and a number of DA-related contrib modules on a handful of sites and never had users encounter this problem. Just to be sure of what agentrickard already asked, does the role for your users have the permission 'access user profiles' set?

Well - clearing cookies fixed it for me. Thanks ispheretechnologies - I didn't get half of the stuff you were going on about but it was enough for me to have a go at clearing the cookies and voila .... problem solved (well - for now anyway)

I've just finished an upgrade from 6.11 or so to 6.17. I've also had a fiddle with the minimum cache settings and while all OK from my home computer, trying to login from work's computer was throwing up "Access Denied" errors for any username. No stuffing around with the settings.php file fixed anything.