When a user logs in for the first time, or after their browser cache has been cleared, the html title tag reads access denied, but the site still loads.
The node title on the page also appears as "Access Denied", after the page is reloaded, everything works as it should, its just on the initial Drupal login for first time users, or after a user's browser cache is cleared. I'm going ot guess it has something to do with auto-logging the user in / drupal user sessions....but not 100% sure.

Unfortunately I cannot post a link to the site, because it requires SAML authentication.

These access denied page requests have been piling up in Reports -> Recent log messages

This happens a few thousand times a month so the log file is nearly a gig.

Why does this happen?

Has this issue been fixed in any of the alpha releases of this module?

CommentFileSizeAuthor
#15 simplesamlphp_auth-access-denied-1922694-15.patch679 bytessteven.wichers
#12 simplesamlphp_auth.module.1922694.patch429 bytesAnonymous (not verified)
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Here is a sequential log of a user getting authenticated, and end result of them getting an access denied error:

simplesamlphp 02/20/2013 - 14:56 Load user [cadieck] Anonymous (not verified)
user 02/20/2013 - 14:56 Session opened for cadieck. cadieck
access denied 02/20/2013 - 14:56 node/26 cadieck

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan commented
Status: Active » Closed (won't fix)

The 1.x branch is dead, no longer supported. Use the 2.x branch instead.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

I am more than willing to move to that branch, with some assurance that issue will be fixed.
This is a large enterprise level site, where I cannot just install a new version to see if it works.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan commented

Please test the new branch somewhere if you can (not on your production system), as we'd like to move everyone over to it. Reopen this ticket in that branch if it's still a problem.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Version: 7.x-1.3 » 7.x-2.0-alpha2

This is still an issue, even with 7.x-alpha2.
I am going to do a bit more rigourous testing next week and will supply details then.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Closed (won't fix) » Needs work
Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Also, an update, when a new user / user who cleared cache comes to site, and then authenticated via SAML, the node object returns access denied. After a simple page refresh, user then has access to node and everything works as is.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan commented
Status: Needs work » Active

Thanks for looking into this! Setting to active as there's no patch yet that "needs work".

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Here is an updated log of a user being authenticated and accessing the site.

simplesamlphp 02/26/2013 - 17:13 _simplesamlphp_auth_get_authname: Valid local session... Anonymous (not verified)
simplesamlphp 02/26/2013 - 17:13 Authname is [XUSER] userid is [0] Anonymous (not verified)
simplesamlphp 02/26/2013 - 17:13 Load user [XUSER] Anonymous (not verified)
user 02/26/2013 - 17:13 Session opened for XUSER. gmbell
access denied 02/26/2013 - 17:13 node/26 XUSER

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Active » Needs review

I seem to have fixed the issue, but I do not know how to write patches so I will post the code below:

after line 287 (of simplesamlphp_auth.module, version: 7.x-2.0-alpha2)

(original code)

$edit = array();
user_login_finalize($edit);

(new code)

$edit = array();
user_login_finalize($edit);
$path = arg(0) . '/' . arg(1);
drupal_goto( $path );

drupal_goto must get called because user_login_finalize starts a new session for the user too late in the boot strap process. Redirecting them back to the page they entered seems to fix the problem. It also prevents all the watchdog errors about unauthenticated users.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan commented
Status: Needs review » Needs work

@kjmeath: Thanks for figuring this out! If you'd like to try to put a patch together yourself, there are instructions over at Patches. If not, someone will roll one up eventually. ;)

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
FileSize
simplesamlphp_auth.module.1922694.patch429 bytes

Patch attached

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Needs work » Needs review
brad.bulger’s picture

brad.bulger CreditAttribution: brad.bulger commented
Issue summary: View changes

that works if there are two components in the current path but not otherwise. from how i read the Drupal arg() function, i think it should work as well, and cover all cases, to instead do the following:

UPDATED: it also needs to handle other query arguments (eg "/my/path?page=3")

          $options = array();
          $query = $_GET;
          unset($query['q']);
          if ($query) {
            $options['query'] = $query;
          }
          drupal_goto($_GET['q'], $options);

however, i was not able to recreate this problem. (i had thought i was seeing it but it turned out i had unrelated issues.)

i tried removing "View published content" permission from anonymous users, and displaying the /saml_login link on the Access Denied page. when an anonymous user clicks on that link, they end up back on the original page without any errors, without making this change. maybe there's another specific scenario that causes this problem.

steven.wichers’s picture

steven.wichers CreditAttribution: steven.wichers commented
Version: 7.x-2.0-alpha2 » 7.x-2.x-dev
FileSize
simplesamlphp_auth-access-denied-1922694-15.patch679 bytes

I've attached a patch that forces a redirect after the call to user_login_finalize and leverages the Drupal API to do the above.

For what it's worth, this did seem to solve my related problem when I was trying to redirect users to their profile edit screen after logging in (user/uid/edit) and they would get access denied until the next page load.

snufkin’s picture

snufkin CreditAttribution: snufkin commented
Status: Needs review » Needs work

Hmm I get the idea, but I don't think this is the correct approach to the problem. I've had this on another project and for us specifically the drupal_goto approach doesnt even work, because I got an infinite redirect. It likely had something to do with the redirection I had set up to saml_login, but at least its a valid use case where this fix doesnt apply.

The main issue is that the user session is retained from between the user first touches the site (at that point as anon user) until he gets a full drupal user. If initally there was an error displayed, he'll get that when logging in.

A different approach would be to simply remove the error messages at user_login_finalize(), using drupal_get_messages('error', TRUE);. I've just tested this, and worked for me. The issue with this solution is that it will remove _every_ error message, so potentially useful ones as well. This authentication flow can be hooked into using Rules, I'd be inclined to say that if someone does not want the error to show, they will need to implement a rules call that is triggered on simplesamlphp_auth_rules_event_login and clears the message queue.

2dareis2do’s picture

2dareis2do CreditAttribution: 2dareis2do commented
Issue summary: View changes