[bug] "remember me" doesn't work

Project:      Drupal
Version:      cvs
Component:    user.module
Category:     bug reports
Priority:     critical
Assigned to:  Anonymous
Reported by:  marco
Updated by:   weitzman@xxxxxxxxxxxx
-Status:       active
+Status:       patch
Attachment:   http://drupal.org/files/issues/_4drupal (5.3 KB)

Here is a patch which attempts to resolve this problem. I took Josh's
suggestion - just rename the permanent cookie so it get overwritten by
the PHP session cookie. So this patch names our permanent cookie
'remember_me'. The value of this cookie is the current sessionID. This
cookie is checked in sess_read(). It is set just as before, in
user_login().

I refactored sess_read() a bit for cleaner flow. It uses a new helper
function called sess_construct_user().

Feedback welcome. Since not everyone experienced a problem with
remember me, I'm particlarly interested in feedback from those who did.

weitzman@xxxxxxxxxxxx



Previous comments:
------------------------------------------------------------------------

September 22, 2003 - 08:37 : marco

"remember me" checkbox in the login box doesn't work; even if the
checkbox is left unchecked the user is NOT forgotten when he quits the
browser. Try logging in w/o "remember me", then quit the browser and
open it again: you should be still logged in.

What happens:
when you login w/o checkbox user.module outputs a cookie with lifetime
= 0 ("until session ends"); but user.module calls session_start() at
the beginning, which outputs a cookie too, with the lifetime specified
in .htaccess; and session_start() outputs this cookie always, so on the
next page the cookie from user_login() will be overwritten.

I run Mozilla 1.4; I can replicate with Drupal 4.0 and Drupal 4.2 on
PHP 4.3.3, and I can replicate this on drupal.org which also runs PHP
4.3.3; OTOH I can't replicate on a site running Drupal 4.2 with PHP
4.2.2, which may mean session_start() changed with PHP 4.3.x; I looked
in the changelog of PHP but couldn't find anything. I didn't have any
report about this before upgrading to PHP 4.3.3, which also seems to
strengthen the hypothesis of a changed behaviour in PHP. Another test I
did also showed that with PHP  4.2.2 no cookie is printed by
session_start() if a session cookie is found, while it is always
printed in PHP 4.3.3; I double checked the configurations and didn't
find anything which may cause this. 

If you want to investigate this, I suggest you to use Mozilla and Live
HTTP Headers plugin.

------------------------------------------------------------------------

October 10, 2003 - 19:37 : weitzman@xxxxxxxxxxxx

Can anyone confirm this? Also, how to fix?

------------------------------------------------------------------------

October 12, 2003 - 12:45 : axel@xxxxxxxxxxxxxxxxxxxx

I agree it for Mozilla 1.0. On my site running on FreeBSD 4.7,
PHP/4.3.0, Drupal CVS (Oct 3) this function also don't work. Though,
with Galeon 1.2.5 cookie works ok. 

On localhost (Debian GNU/Linux 3.0, PHP 4.1.2, same Drupal cvs version)
it works ok with Mozilla & Galeon.

------------------------------------------------------------------------

October 12, 2003 - 13:34 : al

The original bug report is surely due to Drupal needing to unset the
cookie that it originally stored?

To fix this bug, we therefore need a check on the user login/validation
stage which forcibly unsets the cookie if you don't do "remember me".

I suspect Axel's problems with one of his sites and not the other are
due to him blocking a cookie originally and having that site on his
Mozilla's list of sites to ban cookies from, or similar.

Axel - if you are genuinely having issues with remember me not working
at all (and not the fault originally described in this report by Ax)
then please open a different bug report. Please make sure it's a
genuine problem first - i.e. clear your blocked cookies sites list in
Mozilla.

------------------------------------------------------------------------

October 12, 2003 - 18:24 : axel@xxxxxxxxxxxxxxxxxxxx

Well. I don't sure what is a bug, therefore first post the question
about it to forum [1]. Answer to that question point me to this bug
report. 

Already several users of my site [2] report me about problem with
"remember me" (I don't know which browsers they use). And there are not
any blocked sites in my Mozilla cookies list - from site I receive only
cookie PHPSESSID that expire time shows "at end of session".
[1] http://drupal.org/node/view/3601
[2] http://debian.linuxrulez.ru


------------------------------------------------------------------------

October 17, 2003 - 15:36 : dmo

Expect "remember me" problems for users of Internet Explorer 6. 
Depending on the privacy settings, IE6 may automatically expire all
cookies at the end of the browser session if your site doesn't have a
compact P3P policy.  See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpriv/html/ie6privacyfeature.asp
and http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html for
further details.


------------------------------------------------------------------------

October 17, 2003 - 21:53 : weitzman@xxxxxxxxxxxx

since noone can reproduce this, i am marking as 'by design'


------------------------------------------------------------------------

November 25, 2003 - 02:41 : junyoung

This is not a IE6 specific problem. I have seen the same symptom with
IE5.5/6.0, Opera 7.0/7.1, and Konqueror 3.1.x so far. FWIW, my blog
site is running with Drupal 4.2.0 + PHP 4.3.3.


------------------------------------------------------------------------

November 25, 2003 - 09:06 : remco@xxxxxxx

Same problem on http://rc6.org, though the other way around.

No matter what I do, my session will time out eventually. Tested using
Opera 7.x, IE, Mozilla and Epiphany.


------------------------------------------------------------------------

November 25, 2003 - 10:00 : weitzman@xxxxxxxxxxxx

reopening this case. i confirm the behavior that marco describes using
rc6.org and drupal.org.

i find it easiest to just turn cookie prompting on in order to watch
what is happenning. what i am seeing, like marco described, is that our
'permanent cookie' which is supposed to last for a year is being
overwritten in the next request with a standard session cookie that
expires in the time frame specified in .htaccess. for drupal.org,
standard sesson cookies last 1 month whereas the permanent cookie lasts
for a year.

i don't know how to fix this from within drupal. the cookie that we lay
down for 'remember me' is working fine. the problem is the later
overwrite which is caused by PHP's session handing, not drupal.


------------------------------------------------------------------------

November 26, 2003 - 07:35 : weitzman@xxxxxxxxxxxx

To make matters more complicated, I cannot reproduce this using PHP as
an ISAPI module on IIS


------------------------------------------------------------------------

November 26, 2003 - 14:07 : Dries

Maybe we can set a "remember" bit in the session table and periodically
wipe users who don't have the "remember"-bit set.  The wiping part
could be added to sess_gc() ...


------------------------------------------------------------------------

December 3, 2003 - 20:30 : joshk

I have this problem w/musicforamerica.org

The really maddening thing is that I have another install of drupal 4.3
on the same webserver and it works just fine.

If the problem is with drupal's cookie being overwritten by a PHP
session cookie, can this be fixed by giving the cookies different
names? Sounds too simple to be the solution...


------------------------------------------------------------------------

December 12, 2003 - 11:48 : ykoehler

http://ca.php.net/manual/en/function.session-set-cookie-params.php

Even though drupal is sending a cookie, it should always set this PHP
parameter so that the session_start() call will use the same value, or
not send any cookie at all by itself and let session_start() do it
with, again, a call to this function to set the correct parameter.

The reason why you don't get the same on a site basis is probably due
to the different php.ini used for those sites as the default depends on
the installation and not drupal which is probably why only some get the
bug if there's such a thing.


------------------------------------------------------------------------

December 30, 2003 - 15:50 : paul@xxxxxxxxxxxxxxxx

I am having the opposite problem. Even if I check the "remember me" box
my session ends when the browser closes and I'm forced to log in the
next time I return to the site. No cookie is EVER set by my site.

http://www.murphymaphia.com



------------------------------------------------------------------------

January 20, 2004 - 12:31 : mathias

Charles Miller has written a persistent login cookie best practices [3]
i feel is worth reading.
[3]
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice


------------------------------------------------------------------------

February 11, 2004 - 13:20 : paul@xxxxxxxxxxxxxxxx

Has any progress been made on this? I have spent a lot of time in the
code and can't manage to track this problem down. If anyone has any
ideas, thoughts, etc to share, post them here so we can get this
solved.


------------------------------------------------------------------------

February 12, 2004 - 00:07 : dmjossel

I have this problem (remember me feature not working) in Drupal 4.3.x on
PHP 4.3.2.

I do NOT have it on Drupal 4.2 on PHP 4.3.2, in exactly the same
environment. 

So perhaps sessions have changed in PHP 4.3.x, but this still didn't
break Drupal 4.2, only 4.3.x.


--
View: http://drupal.org/node/view/2974
Edit: http://drupal.org/project/comments/add/2974