After enabling the Subdirectories module (hosting_subdirs) to allow Aegir to support subsites (sites within a path off the [sub]domain URL), I discovered that it's impossible to log in, even if using drush uli.

Drupal always returns "Permission denied", code 403 Forbidden.

This is because session construction doesn't happen due to the improper placement of cookies.

For subdirectory sites, Aegir should be adding cookie settings from Configure settings.php and .htaccess to redirect subfolders properly to settings.php, but it doesn't. (I originally discovered this from Setting $cookie_domain variable for specific folder structure).

Related: We should keep track of the security implications by following #2515054: [PP-1] Session and other cookies may leak to other apps when Drupal is in a subdirectory.

I'm planning to fix this in the Subdirectories module by following Programmattically modifying Settings.php.

Comments

colan created an issue. See original summary.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
commented
Project: Hosting » Provision

Moving to Provision as there's already scaffolding there.

  • colan committed 7beeef7 on 7.x-3.x 
    Issue #3014381 by colan: Set the cookie domain and path for subdirectory...
colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
commented
Status: Active » Needs review
helmo’s picture

helmo commented

Looks simple enough

helmo’s picture

helmo commented
Status: Needs review » Fixed

already committed

memtkmcc’s picture

memtkmcc commented

Interesting, we hadn’t noticed that problem in BOA because we have a custom code in the global.inc we never backported to Aegir, which allowed this to work on Nginx/BOA. Good find!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
commented
Parent issue: » #3122928: [META] Support subsites / subdirectory sites like `example.com/foo` (Part III)