Re: [bug] "remember me" doesn't work

A further note from Marco's:

I have this problem in Drupal 4.3.x on PHP 4.3.2.

I do NOT have it on Drupal 4.2 on PHP 4.3.2, in exactly the same
environment. 

So perhaps sessions have changed in PHP 4.3.x, but this still didn't break
Drupal 4.2, only 4.3.x.

On 2/12/04 0:20, "paul" <drupal-devel@xxxxxxxxxx> wrote:

> Project:      Drupal
> Version:      cvs
> Component:    user.module
> Category:     bug reports
> Priority:     critical
> Assigned to:  Kjartan
> Reported by:  marco
> Updated by:   paul@xxxxxxxxxxxxxxxx
> Status:       active
> 
> Has any progress been made on this? I have spent a lot of time in the
> code and can't manage to track this problem down. If anyone has any
> ideas, thoughts, etc to share, post them here so we can get this
> solved.
> 
> paul@xxxxxxxxxxxxxxxx
> 
> 
> 
> Previous comments:
> ------------------------------------------------------------------------
> 
> September 22, 2003 - 15:37 : marco
> 
> "remember me" checkbox in the login box doesn't work; even if the
> checkbox is left unchecked the user is NOT forgotten when he quits the
> browser. Try logging in w/o "remember me", then quit the browser and
> open it again: you should be still logged in.
> 
> What happens:
> when you login w/o checkbox user.module outputs a cookie with lifetime
> = 0 ("until session ends"); but user.module calls session_start() at
> the beginning, which outputs a cookie too, with the lifetime specified
> in .htaccess; and session_start() outputs this cookie always, so on the
> next page the cookie from user_login() will be overwritten.
> 
> I run Mozilla 1.4; I can replicate with Drupal 4.0 and Drupal 4.2 on
> PHP 4.3.3, and I can replicate this on drupal.org which also runs PHP
> 4.3.3; OTOH I can't replicate on a site running Drupal 4.2 with PHP
> 4.2.2, which may mean session_start() changed with PHP 4.3.x; I looked
> in the changelog of PHP but couldn't find anything. I didn't have any
> report about this before upgrading to PHP 4.3.3, which also seems to
> strengthen the hypothesis of a changed behaviour in PHP. Another test I
> did also showed that with PHP  4.2.2 no cookie is printed by
> session_start() if a session cookie is found, while it is always
> printed in PHP 4.3.3; I double checked the configurations and didn't
> find anything which may cause this.
> 
> If you want to investigate this, I suggest you to use Mozilla and Live
> HTTP Headers plugin.
> 
> ------------------------------------------------------------------------
> 
> October 11, 2003 - 02:37 : weitzman@xxxxxxxxxxxx
> 
> Can anyone confirm this? Also, how to fix?
> 
> ------------------------------------------------------------------------
> 
> October 12, 2003 - 19:45 : axel@xxxxxxxxxxxxxxxxxxxx
> 
> I agree it for Mozilla 1.0. On my site running on FreeBSD 4.7,
> PHP/4.3.0, Drupal CVS (Oct 3) this function also don't work. Though,
> with Galeon 1.2.5 cookie works ok.
> 
> On localhost (Debian GNU/Linux 3.0, PHP 4.1.2, same Drupal cvs version)
> it works ok with Mozilla & Galeon.
> 
> ------------------------------------------------------------------------
> 
> October 12, 2003 - 20:34 : al
> 
> The original bug report is surely due to Drupal needing to unset the
> cookie that it originally stored?
> 
> To fix this bug, we therefore need a check on the user login/validation
> stage which forcibly unsets the cookie if you don't do "remember me".
> 
> I suspect Axel's problems with one of his sites and not the other are
> due to him blocking a cookie originally and having that site on his
> Mozilla's list of sites to ban cookies from, or similar.
> 
> Axel - if you are genuinely having issues with remember me not working
> at all (and not the fault originally described in this report by Ax)
> then please open a different bug report. Please make sure it's a
> genuine problem first - i.e. clear your blocked cookies sites list in
> Mozilla.
> 
> ------------------------------------------------------------------------
> 
> October 13, 2003 - 01:24 : axel@xxxxxxxxxxxxxxxxxxxx
> 
> Well. I don't sure what is a bug, therefore first post the question
> about it to forum [1]. Answer to that question point me to this bug
> report. 
> 
> Already several users of my site [2] report me about problem with
> "remember me" (I don't know which browsers they use). And there are not
> any blocked sites in my Mozilla cookies list - from site I receive only
> cookie PHPSESSID that expire time shows "at end of session".
> [1] http://drupal.org/node/view/3601
> [2] http://debian.linuxrulez.ru
> 
> 
> ------------------------------------------------------------------------
> 
> October 17, 2003 - 22:36 : dmo
> 
> Expect "remember me" problems for users of Internet Explorer 6.
> Depending on the privacy settings, IE6 may automatically expire all
> cookies at the end of the browser session if your site doesn't have a
> compact P3P policy.  See
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpriv/html/i
> e6privacyfeature.asp
> and http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html for
> further details.
> 
> 
> ------------------------------------------------------------------------
> 
> October 18, 2003 - 04:53 : weitzman@xxxxxxxxxxxx
> 
> since noone can reproduce this, i am marking as 'by design'
> 
> 
> ------------------------------------------------------------------------
> 
> November 25, 2003 - 08:41 : junyoung
> 
> This is not a IE6 specific problem. I have seen the same symptom with
> IE5.5/6.0, Opera 7.0/7.1, and Konqueror 3.1.x so far. FWIW, my blog
> site is running with Drupal 4.2.0 + PHP 4.3.3.
> 
> 
> ------------------------------------------------------------------------
> 
> November 25, 2003 - 15:06 : remco@xxxxxxx
> 
> Same problem on http://rc6.org, though the other way around.
> 
> No matter what I do, my session will time out eventually. Tested using
> Opera 7.x, IE, Mozilla and Epiphany.
> 
> 
> ------------------------------------------------------------------------
> 
> November 25, 2003 - 16:00 : weitzman@xxxxxxxxxxxx
> 
> reopening this case. i confirm the behavior that marco describes using
> rc6.org and drupal.org.
> 
> i find it easiest to just turn cookie prompting on in order to watch
> what is happenning. what i am seeing, like marco described, is that our
> 'permanent cookie' which is supposed to last for a year is being
> overwritten in the next request with a standard session cookie that
> expires in the time frame specified in .htaccess. for drupal.org,
> standard sesson cookies last 1 month whereas the permanent cookie lasts
> for a year.
> 
> i don't know how to fix this from within drupal. the cookie that we lay
> down for 'remember me' is working fine. the problem is the later
> overwrite which is caused by PHP's session handing, not drupal.
> 
> 
> ------------------------------------------------------------------------
> 
> November 26, 2003 - 13:35 : weitzman@xxxxxxxxxxxx
> 
> To make matters more complicated, I cannot reproduce this using PHP as
> an ISAPI module on IIS
> 
> 
> ------------------------------------------------------------------------
> 
> November 26, 2003 - 20:07 : Dries
> 
> Maybe we can set a "remember" bit in the session table and periodically
> wipe users who don't have the "remember"-bit set.  The wiping part
> could be added to sess_gc() ...
> 
> 
> ------------------------------------------------------------------------
> 
> December 4, 2003 - 02:30 : joshk
> 
> I have this problem w/musicforamerica.org
> 
> The really maddening thing is that I have another install of drupal 4.3
> on the same webserver and it works just fine.
> 
> If the problem is with drupal's cookie being overwritten by a PHP
> session cookie, can this be fixed by giving the cookies different
> names? Sounds too simple to be the solution...
> 
> 
> ------------------------------------------------------------------------
> 
> December 12, 2003 - 17:48 : ykoehler
> 
> http://ca.php.net/manual/en/function.session-set-cookie-params.php
> 
> Even though drupal is sending a cookie, it should always set this PHP
> parameter so that the session_start() call will use the same value, or
> not send any cookie at all by itself and let session_start() do it
> with, again, a call to this function to set the correct parameter.
> 
> The reason why you don't get the same on a site basis is probably due
> to the different php.ini used for those sites as the default depends on
> the installation and not drupal which is probably why only some get the
> bug if there's such a thing.
> 
> 
> ------------------------------------------------------------------------
> 
> December 30, 2003 - 21:50 : paul@xxxxxxxxxxxxxxxx
> 
> I am having the opposite problem. Even if I check the "remember me" box
> my session ends when the browser closes and I'm forced to log in the
> next time I return to the site. No cookie is EVER set by my site.
> 
> http://www.murphymaphia.com
> 
> 
> 
> ------------------------------------------------------------------------
> 
> January 20, 2004 - 18:31 : mathias
> 
> Charles Miller has written a persistent login cookie best practices [3]
> i feel is worth reading.
> [3]
> http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice
> 

------------------------------------------------------------

David M. Josselyn
Synfibers Consulting
http://www.synfibers.com
dmjossel@xxxxxxxxxxxxx