Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Just upgrade one of our servers to Drupal 7.17 and Services to 7.x-3.2 and suddenly the REST login endpoint does not send the cookie HTTP header.
Can anymore reproduce this?
Comments
Comment #1
kylebrowning CreditAttribution: kylebrowning commentedDO the tests fail?
Comment #2
rodmaz CreditAttribution: rodmaz commentedApologies, I am not familiar on how to run the testing frameworks used in Drupal. But I guess it should be very straightforward to detect the problem. Just used two endpoints (login/logout) and my previous tests routines worked fine. Now, no Set-Cookie header is sent.
Can it be that the service is filtering it out somehow in the chain?
Comment #3
tpainton CreditAttribution: tpainton commentedI'm having problems now after Drupal upgrade to 7.17 as well. My application was working great but now, all requests to REST server are viewed as from anonymous.. I'm not sure if this is related as I am not sure how to check if REST server is returning cookie headers.. I do have a sessionid and session sent, but it appears to be associated with anonymous user when I look it up in the database. Something definitely broke after 7.17 upgrade. I'll have more, possibly related after more looking into this.. I'm still very perplexed.
Comment #4
navarrete CreditAttribution: navarrete commentedI have same problem using XMLRPC
I am using my own drupal 6 module to launch nodes from one drupal6 to one drupal 7. I use services module in drupal 7 to create and update content.
Since I upgraded the drupal 7 environment, from 7.15 to 7.17 version, In my drupal 6 I obtain the message "401 - Unauthorized: Access denied for user anonymous" when I try to create or update a node.
When I test the login, it returns the user login information with the cookie value, and everything seems fine. But when I try to use drupal_http_request($url, $headers, 'POST', $xmlrpc_request->xml) It not recognizes the cookie value, tries to make node.save like anonymous user and fails. Obtains the "401 - Unauthorized: Access denied for user anonymous"
I call node.save function with
When I use devel to check the result of the drupal request, I see the request it's:
POST /services/xmlrpc HTTP/1.0 Host: destination-domain.com User-Agent: Drupal (+http://drupal.org/) Content-Length: 428 Cookie: SESS5ad42b2e286ec657d3f74b969f7b=BZKQ108GxZwMg1ASDSDqRudf5uaBJHM-M0yW3U Content-Type: text/xml <?xml version="1.0"?> <methodCall> <methodName>node.save</methodName> <params> <param><value><struct> <member><name>nid</name><value><int>535</int></value></member> <member><name>vid</name><value><int>535</int></value></member> <member><name>status</name><value><int>0</int></value></member> <member><name>type</name><value><string>node_content_type</string></value></member> </struct></value></param> </params></methodCall>
I don't know why, but something changed when updated the drupal version. Maybe now I need another way to use the cookie. I am not sure, I need help.
I checked the release notes
http://drupal.org/drupal-7.17-release-notes
http://drupal.org/node/1815904
Another change I made was apply this update, but i think it not was:
Token (token) 7.x-1.2 7.x-1.4 SECURITY UPDATE available
Thanks
Comment #5
navarrete CreditAttribution: navarrete commentedOk, It was fixed when I updated services module form 7.x-3.1 to 7.x-3.2.
I don't know if for REST happends the same.
Sorry. Now I have another problems.
Comment #6
navarrete CreditAttribution: navarrete commentedNow I can do a node.save, but when I try to make a node.retrive I have the next response:
<?xml version="1.0"?> <methodResponse> <fault> <value> <struct> <member> <name>faultCode</name> <value><int>401</int></value> </member> <member> <name>faultString</name> <value><string>Access denied for user registerusername</string></value> </member> </struct> </value> </fault> </methodResponse>
I generate this REQUEST:
POST /services/xmlrpc HTTP/1.0 Host: destination-domain.com User-Agent: Drupal (+http://drupal.org/) Content-Length: 150 Cookie: SESS5ad42b2e286ec657d3f74b969f7b=BZKQ108GxZwMg1ASDSDqRudf5uaBJHM-M0yW3U Content-Type: text/xml <?xml version="1.0"?> <methodCall> <methodName>node.retrieve</methodName> <params> <param><value><int>541</int></value></param> </params></methodCall>
I tested some methods to generate this args without results . Before update services module and core this worked fine.
I checked all resources from destination-domain.com/admin/structure/services/list/xmlrpc/resources . I tried to enable all, and nothing.
In debug mode, i can see in the log the next information:
I don't know if it could be a bug or could be my code.
I need some help please.
Comment #7
navarrete CreditAttribution: navarrete commentedFixed, I have a hook_resources alter because I only want adminitrator user made a node.retrieve
Now I need change it to add ['operations']
Comment #8
kylebrowning CreditAttribution: kylebrowning commentednavarrete, it looks like youre getting a little off topic. Please make a new thread with the different issues you are having.
Comment #9
noslokire CreditAttribution: noslokire commentedUpdating fixed it for us as well, we are now on 3.3
Comment #10
tpainton CreditAttribution: tpainton commentedYep, my problem was fixed as well upgrading to latest services.
Comment #11
Cracu CreditAttribution: Cracu commentedThere's a modification in Drupal core, more specific in session.inc. This modification prevents session_destroy() function(called in services logout action) to clear session table and also to remove the session cookie.
Apparently $save_session will have value FALSE after this line, because it was previously initialized to FALSE;
Default implementation for logout action contains the following lines:
In order to make it work, you'll have to add
drupal_save_session(TRUE);
before those 2 lines, to re-initialise $save_session static variable to TRUE;
NOTE: this was a note for those that cloned logout action of user resource for their own resource.