Just upgrade one of our servers to Drupal 7.17 and Services to 7.x-3.2 and suddenly the REST login endpoint does not send the cookie HTTP header.
Can anymore reproduce this?

Comments

kylebrowning’s picture

Category: bug » support
Priority: Major » Normal

DO the tests fail?

rodmaz’s picture

Apologies, I am not familiar on how to run the testing frameworks used in Drupal. But I guess it should be very straightforward to detect the problem. Just used two endpoints (login/logout) and my previous tests routines worked fine. Now, no Set-Cookie header is sent.
Can it be that the service is filtering it out somehow in the chain?

tpainton’s picture

I'm having problems now after Drupal upgrade to 7.17 as well. My application was working great but now, all requests to REST server are viewed as from anonymous.. I'm not sure if this is related as I am not sure how to check if REST server is returning cookie headers.. I do have a sessionid and session sent, but it appears to be associated with anonymous user when I look it up in the database. Something definitely broke after 7.17 upgrade. I'll have more, possibly related after more looking into this.. I'm still very perplexed.

navarrete’s picture

Title: Login REST endpoint does not send HTTP cookie header anymore » 401 - Unauthorized: when i try to execute an http_request
Component: Code » Miscellaneous
Priority: Normal » Major

I have same problem using XMLRPC

I am using my own drupal 6 module to launch nodes from one drupal6 to one drupal 7. I use services module in drupal 7 to create and update content.

Since I upgraded the drupal 7 environment, from 7.15 to 7.17 version, In my drupal 6 I obtain the message "401 - Unauthorized: Access denied for user anonymous" when I try to create or update a node.

When I test the login, it returns the user login information with the cookie value, and everything seems fine. But when I try to use drupal_http_request($url, $headers, 'POST', $xmlrpc_request->xml) It not recognizes the cookie value, tries to make node.save like anonymous user and fails. Obtains the "401 - Unauthorized: Access denied for user anonymous"

I call node.save function with

$headers['Cookie'] = $datac['login']['cookie']; 
$headers['Content-Type'] = "text/xml";

When I use devel to check the result of the drupal request, I see the request it's:

POST /services/xmlrpc HTTP/1.0 Host: destination-domain.com User-Agent: Drupal (+http://drupal.org/) Content-Length: 428 Cookie: SESS5ad42b2e286ec657d3f74b969f7b=BZKQ108GxZwMg1ASDSDqRudf5uaBJHM-M0yW3U Content-Type: text/xml <?xml version="1.0"?> <methodCall> <methodName>node.save</methodName> <params> <param><value><struct> <member><name>nid</name><value><int>535</int></value></member> <member><name>vid</name><value><int>535</int></value></member> <member><name>status</name><value><int>0</int></value></member> <member><name>type</name><value><string>node_content_type</string></value></member> </struct></value></param> </params></methodCall>

I don't know why, but something changed when updated the drupal version. Maybe now I need another way to use the cookie. I am not sure, I need help.
I checked the release notes
http://drupal.org/drupal-7.17-release-notes
http://drupal.org/node/1815904

Another change I made was apply this update, but i think it not was:
Token (token) 7.x-1.2 7.x-1.4 SECURITY UPDATE available

Thanks

navarrete’s picture

Title: 401 - Unauthorized: when i try to execute an http_request » Login REST endpoint does not send HTTP cookie header anymore
Priority: Major » Normal

Ok, It was fixed when I updated services module form 7.x-3.1 to 7.x-3.2.
I don't know if for REST happends the same.
Sorry. Now I have another problems.

navarrete’s picture

Priority: Normal » Major

Now I can do a node.save, but when I try to make a node.retrive I have the next response:

<?xml version="1.0"?> <methodResponse> <fault> <value> <struct> <member> <name>faultCode</name> <value><int>401</int></value> </member> <member> <name>faultString</name> <value><string>Access denied for user registerusername</string></value> </member> </struct> </value> </fault> </methodResponse>

I generate this REQUEST:

POST /services/xmlrpc HTTP/1.0 Host: destination-domain.com User-Agent: Drupal (+http://drupal.org/) Content-Length: 150 Cookie: SESS5ad42b2e286ec657d3f74b969f7b=BZKQ108GxZwMg1ASDSDqRudf5uaBJHM-M0yW3U Content-Type: text/xml <?xml version="1.0"?> <methodCall> <methodName>node.retrieve</methodName> <params> <param><value><int>541</int></value></param> </params></methodCall>

I tested some methods to generate this args without results . Before update services module and core this worked fine.

I checked all resources from destination-domain.com/admin/structure/services/list/xmlrpc/resources . I tried to enable all, and nothing.

In debug mode, i can see in the log the next information:

Passed arguments:
Array
(
    [0] => 541
)

Controller:
Array
(
    [access arguments] => Array
        (
            [0] => update
        )
)

Server info main object:
stdClass Object
(
    [module] => xmlrpc_server
    [endpoint] => xmlrpc
    [endpoint_path] => services/xmlrpc
    [debug] => 1
    [settings] => Array
        (
        )
)

Calling server: xmlrpc_server_server

results:
stdClass Object
(
    [sessid] => BZKQ108GxZwMg1ASDSDqRudf5uaBJHM-M0yW3U
    [session_name] => SESS5ad42b2e286ec657d3f74b969f7b
    [user] => stdClass Object
        (
            [uid] => 4
            [name] => username
            [mail] => useremail@email.com
            [theme] => 
            [signature] => 
            [signature_format] => filtered_html
            [created] => 1341220114
            [access] => 1354148527
            [login] => 1354149124
            [status] => 1
            [timezone] => Europe/Madrid
            [language] => es
            [picture] => 
            [init] => useremail@email.com
            [data] => Array
                (
                    [l10n_client_disabled] => 
                )

            [roles] => Array
                (
                    [2] => authenticated user
                    [3] => administrator
                )

            [rdf_mapping] => Array
                (
                    [rdftype] => Array
                        (
                            [0] => sioc:UserAccount
                        )

                    [name] => Array
                        (
                            [predicates] => Array
                                (
                                    [0] => foaf:name
                                )

                        )

                    [homepage] => Array
                        (
                            [predicates] => Array
                                (
                                    [0] => foaf:page
                                )
                            [type] => rel
                        )
                )
            [domain_user] => Array
                (
                    [1] => 1
                )
        )
)

I don't know if it could be a bug or could be my code.

I need some help please.

navarrete’s picture

Priority: Major » Normal

Fixed, I have a hook_resources alter because I only want adminitrator user made a node.retrieve

$resources['node']['operations']['retrieve']['access arguments'][0] = 'update';

Now I need change it to add ['operations']

kylebrowning’s picture

Status: Active » Closed (cannot reproduce)

navarrete, it looks like youre getting a little off topic. Please make a new thread with the different issues you are having.

noslokire’s picture

Updating fixed it for us as well, we are now on 3.3

tpainton’s picture

Yep, my problem was fixed as well upgrading to latest services.

Cracu’s picture

There's a modification in Drupal core, more specific in session.inc. This modification prevents session_destroy() function(called in services logout action) to clear session table and also to remove the session cookie.

static $save_session = TRUE;

Apparently $save_session will have value FALSE after this line, because it was previously initialized to FALSE;

Default implementation for logout action contains the following lines:

session_destroy();
user_module_invoke('logout', $tmp, $user);

In order to make it work, you'll have to add
drupal_save_session(TRUE);
before those 2 lines, to re-initialise $save_session static variable to TRUE;

NOTE: this was a note for those that cloned logout action of user resource for their own resource.