I lost 5 hours of my life today, trying to work out why on earth IE users couldn't log into our stage site. I checked session handlers, recorded network traffic, debugged the site to itty bitty little pieces.
Turns out there's a peculiar quirk in IE. Technically, underscores are not permitted in domain/host-names...at least, RFCs 952 and 1123 don't permit them. Most browsers function properly, IE even renders the page...but silently drops any cookies on that domain. Which makes logging in rather an issue.
This patch checks for the presence of underscores in the host-name, and raises a requirements warning if any underscores are present.
Rationale for addressing this issue in core:
- Underscores in domain (and sub-domain) names are not compliant with the RFCs, but this is not widely-known, even amongst experienced developers.
- Although IE is technically compliant with the RFCs, its apparent support for domains with underscores (in that it attempts to serve and render the page) serves to obfusticate its inherent lack of support.
- Drupal already caters for specific IE quirks - form_builder() is one example of a function which caters specifically for IE support.
- The correlation between the cause (an underscore in the host-name), and the effect (Internet Explorer users are unable to log in) is non-obvious, and the natural problem-research/problem-solving approaches don't lend themselves to discovering the cause easily. The status-report page is an obvious first-call for problem solving, and highlighting the issue there serves as an immediate shortcut to fixing this issue.
- I and other very experienced developers have been stymied and lost many many hours investigating this problem.
- The patch has minimal impact on performance and is very simple to understand, so the maintenance cost is very low
Comment | File | Size | Author |
---|---|---|---|
#48 | 1444718-avoiding_underscores_in_domain_name-48.patch | 1.51 KB | piyuesh23 |
#43 | 1444718-43.patch | 1.51 KB | narnua |
Comments
Comment #1
manarth CreditAttribution: manarth commentedSending the patch to the testbot...
Comment #2
brahmjeet789 CreditAttribution: brahmjeet789 commentedcore-require_no_underscores_in_hostname.patch queued for re-testing.
Comment #2.0
brahmjeet789 CreditAttribution: brahmjeet789 commentedFixing typo in spelling.
Comment #3
kevla CreditAttribution: kevla commentedJust come across this myself. That patch would have been really useful if it had been merged in.
Comment #5
only4kaustav CreditAttribution: only4kaustav commentedIE has problems accepting cookies from subdomain's that dont follow the URI RFC. (http://www.ietf.org/rfc/rfc2396.txt)
Comment #6
manarth CreditAttribution: manarth as a volunteer commentedPatch needs updating for D8.
Comment #7
droplet CreditAttribution: droplet commentedCan we shorten the text to say just don't support it in Drupal at all without explain in detail.
Comment #8
manarth CreditAttribution: manarth as a volunteer commentedI'm generally in favour of brevity, but in this case, I think it's useful to highlight the consequences of this requirement failing, especially as (at least with the D7 version of the patch) the requirement is only displayed when it's failing.
The aim of this requirement is to highlight the consequences of an underscore in the host-name, and give relevant feedback to someone trying to debug a problem with IE users logging in. If it simply said "Host names should not include an underscore", the relevance may not be obvious, so it might well be ignored (just as I would ignore other failures, such as file-system not writeable, cron not run recently, etc).
There are also descriptions in core's hook_requirements that are a similar length (e.g. module update-status, upload-progress).
Comment #9
wellme CreditAttribution: wellme at Zyxware Technologies commentedComment #10
wellme CreditAttribution: wellme at Zyxware Technologies commentedPlease find the patch.
Comment #11
manarth CreditAttribution: manarth as a volunteer commentedOne very minor niggle: the indentation on the line
$requirements
is 1 space out.Everything else looks good to me.
Comment #12
leolandotan CreditAttribution: leolandotan as a volunteer and at Promet Source commentedHi! I found some minor issues. Others can check the logic thoroughly too.
Please replace the double spaces before "Whilst".
Please fix indentions and its array value declarations.
Thanks!
Comment #13
Ankit Agrawal CreditAttribution: Ankit Agrawal as a volunteer commentedRe-rolled the #10 patch as per #12. Thank you!
Comment #14
Ankit Agrawal CreditAttribution: Ankit Agrawal as a volunteer commentedComment #16
joelpittetThis could use a review, the patch is straightforward just needs to make sure it is correct english and does what is suggested in the issue summary accurately.
Comment #17
paul_charlet CreditAttribution: paul_charlet at Lumini commentedReviewed. It does what is suggested.
Comment #18
brahmjeet789 CreditAttribution: brahmjeet789 as a volunteer and at gai Technologies Pvt Ltd commentedComment #20
manarth CreditAttribution: manarth as a volunteer commentedFalse negative?
The original patch-report on #13 shows that the patch passed testing, and a manual review doesn't expose any issues. I've resubmitted for another test.
Comment #22
karlosgliberal CreditAttribution: karlosgliberal at Biko2 commentedApplied patch is working fine
Comment #23
catchDoes filter_var($url, FILTER_VALIDATE_URL) handle underscores in domain names? If so should we use it here?
Also the message should show the hostname I think. In the middle of a long list of requirement notices you don't necessarily want to look up to the address bar and back.
Comment #25
drubbUpdated the patch to use the new core array syntax, added the domain name to the message text.
Comment #26
drubbComment #27
drubbNot sure about the filter_var() thing. While it returns FALSE for domain names containing underlines, what's the advantage here? It also performs checks not related to this issue.
Comment #28
HazaIt does check over underscores. But if we use that here, it might also return false because of an other error in the domain name. That means if we still warn the user about underscores only in the error message when using
filter_var()
, we might lead the user to a false direction.Comment #30
Hazait should be updated to the short array notation [].
Comment #31
drubbJust overlooked this. Changed.
Comment #32
drubbComment #33
darius.restivan CreditAttribution: darius.restivan commentedSeems OK.
Comment #35
joelpittet$_SERVER['HTTP_HOST']
is not assumed in core, and also could be on$_SERVER['SERVER_NAME']
depending on proxy.Consider checking both values and at least doing an
isset()
?This suggests
$_SERVER['SERVER_NAME']
being more reliable, but neither being always available.https://stackoverflow.com/questions/2297403/what-is-the-difference-betwe...
Comment #36
joelpittetComment #37
rakesh_verma CreditAttribution: rakesh_verma as a volunteer and for Google Summer of Code commentedI'm having a look at this one at DC Vienna.
Comment #38
narnua CreditAttribution: narnua as a volunteer commentedTaking a look with @rakesh_verma at Vienna - edit: can review the patch once rakesh_verma has uploaded it
Comment #39
rakesh_verma CreditAttribution: rakesh_verma as a volunteer and for Google Summer of Code commentedConsidering both $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME'] with an isset. Just as mentioned in comment #35.
Comment #40
narnua CreditAttribution: narnua as a volunteer commentedPatch fails to apply:
Suggestion: change tabs to spaces for indentation
Comment #41
rakesh_verma CreditAttribution: rakesh_verma as a volunteer and for Google Summer of Code commentedFixing the test cases.
Comment #42
narnua CreditAttribution: narnua as a volunteer commentedTried applying patch from #41, error:
Probably some tab/tabs still left, so rerolling the patch for someone else to review.
Also: this issue should probably be tested by a Windows / IE user to verify the fix works.
Comment #43
narnua CreditAttribution: narnua as a volunteer commentedPatch 43 only aims at removing last remaining tabs, no other changes made.
A bit unsure about the if statement vs Drupal coding standards: as the statement is > 80 characters, it should probably be divided to 2 lines, however might need restructuring to separate statements according to https://www.drupal.org/docs/develop/standards/coding-standards#linelength. I used my best judgement so left it as is for now - hoping at least the patch can now be applied.
Comment #44
narnua CreditAttribution: narnua as a volunteer commentedComment #45
brahmjeet789 CreditAttribution: brahmjeet789 as a volunteer and at gai Technologies Pvt Ltd commentedComment #46
mohit1604 CreditAttribution: mohit1604 at Google Summer of Code commentedpatch is working fine.
Comment #47
larowlanComment needs to wrap at 80 chars.
These should use the
\Drupal::request()->getHttpHost()
which handles all this juggling as well as validation.Comment #48
piyuesh23 CreditAttribution: piyuesh23 at QED42 commentedI agree around the usage of wrapper function getHttpHost on Request object provided by HttpFoundation rather than relying on $_SERVER. Attaching an updated patch.
Comment #49
MixologicWas making some tweaks to drupalci to use hostnames, and the hostnames I created arbitrarily had underscores in them. (things like http://php_apache_local_41f5fbd85887179e9e38d7234c3ce954).
Anyhow, took me about half a day to figure out what the problem was, so I look forward to something like this patch being louder about invalid configurations.
Comment #50
alexpottIs there a reason to use getHttpHost() over getHost()? I don't think there is a reason for having the port appended in this instance.
There is no need to handle $_SERVER['SERVER_NAME'] here. All you need is:
if (strpos($http_host, '_') !== FALSE) {
See \Symfony\Component\HttpFoundation\Request::getHost().
One thing that is interesting is that the Symfony code allows underscores see...
Comment #51
alexpottThere is an interesting debate on https://github.com/symfony/symfony/issues/10467 where it is proposed to allows underscores in URIs... so what's super fun is that whilst getHost() allows underscores... \Symfony\Component\Validator\Constraints\UrlValidator::validate() doesn't. Seems like everyone including M$ are confused on whether underscores should or should not be supported.
Comment #61
smustgrave CreditAttribution: smustgrave at Mobomo commentedClosing this as outdated since the issue seems to be centered around IE which is a no longer supported browser
Comment #62
smustgrave CreditAttribution: smustgrave at Mobomo commented