When a user logs in for the first time, or after their browser cache has been cleared, the html title tag reads access denied, but the site still loads.
The node title on the page also appears as "Access Denied", after the page is reloaded, everything works as it should, its just on the initial Drupal login for first time users, or after a user's browser cache is cleared. I'm going ot guess it has something to do with auto-logging the user in / drupal user sessions....but not 100% sure.
Unfortunately I cannot post a link to the site, because it requires SAML authentication.
These access denied page requests have been piling up in Reports -> Recent log messages
This happens a few thousand times a month so the log file is nearly a gig.
Why does this happen?
Has this issue been fixed in any of the alpha releases of this module?
Comment | File | Size | Author |
---|---|---|---|
#15 | simplesamlphp_auth-access-denied-1922694-15.patch | 679 bytes | steven.wichers |
#12 | simplesamlphp_auth.module.1922694.patch | 429 bytes | Anonymous (not verified) |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedHere is a sequential log of a user getting authenticated, and end result of them getting an access denied error:
simplesamlphp 02/20/2013 - 14:56 Load user [cadieck] Anonymous (not verified)
user 02/20/2013 - 14:56 Session opened for cadieck. cadieck
access denied 02/20/2013 - 14:56 node/26 cadieck
Comment #2
colanThe 1.x branch is dead, no longer supported. Use the 2.x branch instead.
Comment #3
Anonymous (not verified) CreditAttribution: Anonymous commentedI am more than willing to move to that branch, with some assurance that issue will be fixed.
This is a large enterprise level site, where I cannot just install a new version to see if it works.
Comment #4
colanPlease test the new branch somewhere if you can (not on your production system), as we'd like to move everyone over to it. Reopen this ticket in that branch if it's still a problem.
Comment #5
Anonymous (not verified) CreditAttribution: Anonymous commentedThis is still an issue, even with 7.x-alpha2.
I am going to do a bit more rigourous testing next week and will supply details then.
Comment #6
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #7
Anonymous (not verified) CreditAttribution: Anonymous commentedAlso, an update, when a new user / user who cleared cache comes to site, and then authenticated via SAML, the node object returns access denied. After a simple page refresh, user then has access to node and everything works as is.
Comment #8
colanThanks for looking into this! Setting to active as there's no patch yet that "needs work".
Comment #9
Anonymous (not verified) CreditAttribution: Anonymous commentedHere is an updated log of a user being authenticated and accessing the site.
simplesamlphp 02/26/2013 - 17:13 _simplesamlphp_auth_get_authname: Valid local session... Anonymous (not verified)
simplesamlphp 02/26/2013 - 17:13 Authname is [XUSER] userid is [0] Anonymous (not verified)
simplesamlphp 02/26/2013 - 17:13 Load user [XUSER] Anonymous (not verified)
user 02/26/2013 - 17:13 Session opened for XUSER. gmbell
access denied 02/26/2013 - 17:13 node/26 XUSER
Comment #10
Anonymous (not verified) CreditAttribution: Anonymous commentedI seem to have fixed the issue, but I do not know how to write patches so I will post the code below:
after line 287 (of simplesamlphp_auth.module, version: 7.x-2.0-alpha2)
(original code)
(new code)
drupal_goto must get called because user_login_finalize starts a new session for the user too late in the boot strap process. Redirecting them back to the page they entered seems to fix the problem. It also prevents all the watchdog errors about unauthenticated users.
Comment #11
colan@kjmeath: Thanks for figuring this out! If you'd like to try to put a patch together yourself, there are instructions over at Patches. If not, someone will roll one up eventually. ;)
Comment #12
Anonymous (not verified) CreditAttribution: Anonymous commentedPatch attached
Comment #13
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #14
brad.bulger CreditAttribution: brad.bulger commentedthat works if there are two components in the current path but not otherwise. from how i read the Drupal arg() function, i think it should work as well, and cover all cases, to instead do the following:
UPDATED: it also needs to handle other query arguments (eg "/my/path?page=3")
however, i was not able to recreate this problem. (i had thought i was seeing it but it turned out i had unrelated issues.)
i tried removing "View published content" permission from anonymous users, and displaying the /saml_login link on the Access Denied page. when an anonymous user clicks on that link, they end up back on the original page without any errors, without making this change. maybe there's another specific scenario that causes this problem.
Comment #15
steven.wichers CreditAttribution: steven.wichers commentedI've attached a patch that forces a redirect after the call to user_login_finalize and leverages the Drupal API to do the above.
For what it's worth, this did seem to solve my related problem when I was trying to redirect users to their profile edit screen after logging in (user/uid/edit) and they would get access denied until the next page load.
Comment #16
snufkin CreditAttribution: snufkin commentedHmm I get the idea, but I don't think this is the correct approach to the problem. I've had this on another project and for us specifically the drupal_goto approach doesnt even work, because I got an infinite redirect. It likely had something to do with the redirection I had set up to saml_login, but at least its a valid use case where this fix doesnt apply.
The main issue is that the user session is retained from between the user first touches the site (at that point as anon user) until he gets a full drupal user. If initally there was an error displayed, he'll get that when logging in.
A different approach would be to simply remove the error messages at user_login_finalize(), using
drupal_get_messages('error', TRUE);
. I've just tested this, and worked for me. The issue with this solution is that it will remove _every_ error message, so potentially useful ones as well. This authentication flow can be hooked into using Rules, I'd be inclined to say that if someone does not want the error to show, they will need to implement a rules call that is triggered on simplesamlphp_auth_rules_event_login and clears the message queue.Comment #17
2dareis2do CreditAttribution: 2dareis2do commented