Re: [bug] "remember me" doesn't work

No difference in CVS as of yesterday; no difference in 4.3 when I made the
same change manually in common.inc and user.module.

On 2/26/04 19:47, "weitzman" <drupal-devel@xxxxxxxxxx> wrote:

> Project:      Drupal
> Version:      cvs
> Component:    user.module
> Category:     bug reports
> Priority:     critical
> Assigned to:  Anonymous
> Reported by:  marco
> Updated by:   weitzman@xxxxxxxxxxxx
> -Status:       active
> +Status:       patch
> Attachment:   http://drupal.org/files/issues/_4drupal (5.3 KB)
> 
> Here is a patch which attempts to resolve this problem. I took Josh's
> suggestion - just rename the permanent cookie so it get overwritten by
> the PHP session cookie. So this patch names our permanent cookie
> 'remember_me'. The value of this cookie is the current sessionID. This
> cookie is checked in sess_read(). It is set just as before, in
> user_login().
> 
> I refactored sess_read() a bit for cleaner flow. It uses a new helper
> function called sess_construct_user().
> 
> Feedback welcome. Since not everyone experienced a problem with
> remember me, I'm particlarly interested in feedback from those who did.
> 
> weitzman@xxxxxxxxxxxx
> 
> 
> 
> Previous comments:
> ------------------------------------------------------------------------
> 
> September 22, 2003 - 08:37 : marco
> 
> "remember me" checkbox in the login box doesn't work; even if the
> checkbox is left unchecked the user is NOT forgotten when he quits the
> browser. Try logging in w/o "remember me", then quit the browser and
> open it again: you should be still logged in.
> 
> What happens:
> when you login w/o checkbox user.module outputs a cookie with lifetime
> = 0 ("until session ends"); but user.module calls session_start() at
> the beginning, which outputs a cookie too, with the lifetime specified
> in .htaccess; and session_start() outputs this cookie always, so on the
> next page the cookie from user_login() will be overwritten.
> 
> I run Mozilla 1.4; I can replicate with Drupal 4.0 and Drupal 4.2 on
> PHP 4.3.3, and I can replicate this on drupal.org which also runs PHP
> 4.3.3; OTOH I can't replicate on a site running Drupal 4.2 with PHP
> 4.2.2, which may mean session_start() changed with PHP 4.3.x; I looked
> in the changelog of PHP but couldn't find anything. I didn't have any
> report about this before upgrading to PHP 4.3.3, which also seems to
> strengthen the hypothesis of a changed behaviour in PHP. Another test I
> did also showed that with PHP  4.2.2 no cookie is printed by
> session_start() if a session cookie is found, while it is always
> printed in PHP 4.3.3; I double checked the configurations and didn't
> find anything which may cause this.
> 
> If you want to investigate this, I suggest you to use Mozilla and Live
> HTTP Headers plugin.
> 
> ------------------------------------------------------------------------
> 
> October 10, 2003 - 19:37 : weitzman@xxxxxxxxxxxx
> 
> Can anyone confirm this? Also, how to fix?
> 
> ------------------------------------------------------------------------
> 
> October 12, 2003 - 12:45 : axel@xxxxxxxxxxxxxxxxxxxx
> 
> I agree it for Mozilla 1.0. On my site running on FreeBSD 4.7,
> PHP/4.3.0, Drupal CVS (Oct 3) this function also don't work. Though,
> with Galeon 1.2.5 cookie works ok.
> 
> On localhost (Debian GNU/Linux 3.0, PHP 4.1.2, same Drupal cvs version)
> it works ok with Mozilla & Galeon.
> 
> ------------------------------------------------------------------------
> 
> October 12, 2003 - 13:34 : al
> 
> The original bug report is surely due to Drupal needing to unset the
> cookie that it originally stored?
> 
> To fix this bug, we therefore need a check on the user login/validation
> stage which forcibly unsets the cookie if you don't do "remember me".
> 
> I suspect Axel's problems with one of his sites and not the other are
> due to him blocking a cookie originally and having that site on his
> Mozilla's list of sites to ban cookies from, or similar.
> 
> Axel - if you are genuinely having issues with remember me not working
> at all (and not the fault originally described in this report by Ax)
> then please open a different bug report. Please make sure it's a
> genuine problem first - i.e. clear your blocked cookies sites list in
> Mozilla.
> 
> ------------------------------------------------------------------------
> 
> October 12, 2003 - 18:24 : axel@xxxxxxxxxxxxxxxxxxxx
> 
> Well. I don't sure what is a bug, therefore first post the question
> about it to forum [1]. Answer to that question point me to this bug
> report. 
> 
> Already several users of my site [2] report me about problem with
> "remember me" (I don't know which browsers they use). And there are not
> any blocked sites in my Mozilla cookies list - from site I receive only
> cookie PHPSESSID that expire time shows "at end of session".
> [1] http://drupal.org/node/view/3601
> [2] http://debian.linuxrulez.ru
> 
> 
> ------------------------------------------------------------------------
> 
> October 17, 2003 - 15:36 : dmo
> 
> Expect "remember me" problems for users of Internet Explorer 6.
> Depending on the privacy settings, IE6 may automatically expire all
> cookies at the end of the browser session if your site doesn't have a
> compact P3P policy.  See
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpriv/html/i
> e6privacyfeature.asp
> and http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html for
> further details.
> 
> 
> ------------------------------------------------------------------------
> 
> October 17, 2003 - 21:53 : weitzman@xxxxxxxxxxxx
> 
> since noone can reproduce this, i am marking as 'by design'
> 
> 
> ------------------------------------------------------------------------
> 
> November 25, 2003 - 02:41 : junyoung
> 
> This is not a IE6 specific problem. I have seen the same symptom with
> IE5.5/6.0, Opera 7.0/7.1, and Konqueror 3.1.x so far. FWIW, my blog
> site is running with Drupal 4.2.0 + PHP 4.3.3.
> 
> 
> ------------------------------------------------------------------------
> 
> November 25, 2003 - 09:06 : remco@xxxxxxx
> 
> Same problem on http://rc6.org, though the other way around.
> 
> No matter what I do, my session will time out eventually. Tested using
> Opera 7.x, IE, Mozilla and Epiphany.
> 
> 
> ------------------------------------------------------------------------
> 
> November 25, 2003 - 10:00 : weitzman@xxxxxxxxxxxx
> 
> reopening this case. i confirm the behavior that marco describes using
> rc6.org and drupal.org.
> 
> i find it easiest to just turn cookie prompting on in order to watch
> what is happenning. what i am seeing, like marco described, is that our
> 'permanent cookie' which is supposed to last for a year is being
> overwritten in the next request with a standard session cookie that
> expires in the time frame specified in .htaccess. for drupal.org,
> standard sesson cookies last 1 month whereas the permanent cookie lasts
> for a year.
> 
> i don't know how to fix this from within drupal. the cookie that we lay
> down for 'remember me' is working fine. the problem is the later
> overwrite which is caused by PHP's session handing, not drupal.
> 
> 
> ------------------------------------------------------------------------
> 
> November 26, 2003 - 07:35 : weitzman@xxxxxxxxxxxx
> 
> To make matters more complicated, I cannot reproduce this using PHP as
> an ISAPI module on IIS
> 
> 
> ------------------------------------------------------------------------
> 
> November 26, 2003 - 14:07 : Dries
> 
> Maybe we can set a "remember" bit in the session table and periodically
> wipe users who don't have the "remember"-bit set.  The wiping part
> could be added to sess_gc() ...
> 
> 
> ------------------------------------------------------------------------
> 
> December 3, 2003 - 20:30 : joshk
> 
> I have this problem w/musicforamerica.org
> 
> The really maddening thing is that I have another install of drupal 4.3
> on the same webserver and it works just fine.
> 
> If the problem is with drupal's cookie being overwritten by a PHP
> session cookie, can this be fixed by giving the cookies different
> names? Sounds too simple to be the solution...
> 
> 
> ------------------------------------------------------------------------
> 
> December 12, 2003 - 11:48 : ykoehler
> 
> http://ca.php.net/manual/en/function.session-set-cookie-params.php
> 
> Even though drupal is sending a cookie, it should always set this PHP
> parameter so that the session_start() call will use the same value, or
> not send any cookie at all by itself and let session_start() do it
> with, again, a call to this function to set the correct parameter.
> 
> The reason why you don't get the same on a site basis is probably due
> to the different php.ini used for those sites as the default depends on
> the installation and not drupal which is probably why only some get the
> bug if there's such a thing.
> 
> 
> ------------------------------------------------------------------------
> 
> December 30, 2003 - 15:50 : paul@xxxxxxxxxxxxxxxx
> 
> I am having the opposite problem. Even if I check the "remember me" box
> my session ends when the browser closes and I'm forced to log in the
> next time I return to the site. No cookie is EVER set by my site.
> 
> http://www.murphymaphia.com
> 
> 
> 
> ------------------------------------------------------------------------
> 
> January 20, 2004 - 12:31 : mathias
> 
> Charles Miller has written a persistent login cookie best practices [3]
> i feel is worth reading.
> [3]
> http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice
> 
> 
> ------------------------------------------------------------------------
> 
> February 11, 2004 - 13:20 : paul@xxxxxxxxxxxxxxxx
> 
> Has any progress been made on this? I have spent a lot of time in the
> code and can't manage to track this problem down. If anyone has any
> ideas, thoughts, etc to share, post them here so we can get this
> solved.
> 
> 
> ------------------------------------------------------------------------
> 
> February 12, 2004 - 00:07 : dmjossel
> 
> I have this problem (remember me feature not working) in Drupal 4.3.x on
> PHP 4.3.2.
> 
> I do NOT have it on Drupal 4.2 on PHP 4.3.2, in exactly the same
> environment. 
> 
> So perhaps sessions have changed in PHP 4.3.x, but this still didn't
> break Drupal 4.2, only 4.3.x.
> 

------------------------------------------------------------

David M. Josselyn
Synfibers Consulting
http://www.synfibers.com
dmjossel@xxxxxxxxxxxxx