There is a conflict between Persistent Login module and Boost caching module. I have experienced the supposed stolen persistent login session warning message being cached by Boost - since it is presented to an unauthenticated. From then on the alarming warning message is displayed to all anonymous visitors.

As a workaround I commented out the message:


drupal_set_message(
t('

SECURITY ALERT!

You previously logged in to this site and checked the Remember me box. At that time, this site stored a "login cookie" on your web browser that it uses to identify you each time you return. However, the login cookie that your browser just provided is incorrect. One possible cause of this error is that your web browser cookies have been stolen and used by someone else to impersonate you at this site.

As a precaution, we logged out all of your current sessions and deactivated all your remembered logins to this site. You can log in again now.

'), 'error');

I was going to remove this message in any case as I believe it is far to explicit / anxiety inducing for my site users. Having the system discretely abandon their previous persistent login session and request a new login is enough - so long as the potential security breach is logged for me to see, that's enough. But this is a separate issue being discussed here: http://drupal.org/node/327263

Comments

plan9’s picture

plan9 CreditAttribution: plan9 commented
Status: Active » Closed (cannot reproduce)

I'm closing this as it looks like a malformed cookie was causing this behaviour. Clearing the browser cookies seemed to fix it.

plan9’s picture

plan9 CreditAttribution: plan9 commented
Status: Closed (cannot reproduce) » Active

Opening this as I've seen it happen again - and I believe my cookies are intact.

gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple commented

I understand how Boost operates, but am not directly familiar with it. It seems to me that Boost shouldn't cache any page if a call to drupal_set_message() is made.

Do you know of a way to directly tell Boost not to cache the page when the error occurs?

Alternately, the message could be moved to a dedicated page to which the user is redirected rather than using drupal_set_message(). This may also allow a better opportunity to inform the user of what actually happened to cause the error.

gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple commented
Status: Active » Closed (won't fix)

The default configuration for the latest 6.x version of Boost should prevent caching the page if any messages are set via drupal_set_message().

If this remains an issue for 5.x, you may need to backport that functionality in Boost if possible.