Mitigation
If you are experiencing session issues, use the following definition in your composer.json
to mitigate problems.
"conflict": {
"symfony/http-foundation": "3.4.24"
},
If you're using the drupal-commerce/drupal-project template, there is already an entry, append this entry.
Problem/Motivation
Still figuring this out, but #3044155: PHP7.1 vendor max Testing issue - DO NOT COMMIT identified test failures with symfony 3.4.24, released today, 2019-04-02.
https://www.drupal.org/pift-ci-job/1249248 shows the failing tests.
I've tracked it down to session handling, and specifically this commit: https://github.com/symfony/symfony/commit/029fb2e7e36b7cdf29e27d4bfa54dd...
seems our lazy sessions which have data are not showing as started, so they aren't getting saved.
Proposed resolution
Discussed with mikelutz and mglaman in slack, we might need to override the SessionManager->isStarted() to be aware of our lazy session handling and ensure that \Drupal\Core\Session\SessionManager::regenerate()
does not save sessions unnecessarily.
Remaining tasks
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
Symfony 3.4.24 made a change with how session are saved, which is incompatible with Drupal's lazy session handling, this caused a critical bug on sites upgraded via composer, including breaking password reset links. Drupal's lazy session handling has been updated to be compatible with this change.
Comment | File | Size | Author |
---|---|---|---|
#75 | 3045349-revert-8.6.x-75.patch | 3.33 KB | baikho |
#67 | 3045349-revert-8.6.x-67.patch | 3.64 KB | alexpott |
#62 | 3045349-revert-8.8x-62.patch | 3.33 KB | alexpott |
#61 | 3045349-revert-61.patch | 4.08 KB | alexpott |
#36 | 3045349-35-86x.patch | 1.45 KB | geerlingguy |
Comments
Comment #2
mglamanIn discussing w/ Mike on Drupal Slack I was looking at Drupal's lazy handling of sessions.
Mike assumes it's due to "isStarted" not being aware of our lazy handling.
Comment #3
mikelutzComment #4
mikelutzComment #5
mikelutzComment #6
mikelutzI've marked this critical because I think it will break sites that run composer update, and to get FM eyes on it first thing in the morning.
Comment #7
mikelutzComment #8
mikelutzComment #9
mglamanTitle suggestions:
* Lazy started sessions are not saved with symfony/http-foundation 3.4.24
* Session manager should report a session is started if lazy started
Comment #10
alexpottSo I'm concerned about the consequences of changing the meaning of \Drupal\Core\Session\SessionManager::isStarted() to include lazy sessions. This will affect what happens on session regeneration if the session is only a lazy session and also what happens on \Drupal\Core\DrupalKernel::initializeContainer(). Obviously the session regeneration concern is a bigger one because this happens on every log in.
We need to investigate the ramifications of the proposed fixed. An alternative (and one I'm not sure is a good one) is we could subclass \Symfony\Component\HttpFoundation\Session\Session and use it in
and override the save method to not check if it is started.
Still thinking and testing things locally.
Comment #11
alexpottIn order to make sure we don't unnecessarily save the session during a user log in we need to change \Drupal\Core\Session\SessionManager::regenerate() to check the parent's notion of isStarted() and not it's own new notion. I think we can ignore the DrupalKernel usage because although this might result in more calls to \Drupal\Core\Session\SessionManager::save() that will only create a session if it needs to and we might get more lazily started sessions but it shouldn't be a big issue.
Note if you want to see
\Drupal\Core\Session\SessionManager::regenerate()
do extra work because of #3 you can debugcore/modules/user/tests/src/Functional/UserLoginHttpTest.php
and set a breakpoint in the regenerate method.Comment #12
mikelutzShould we add a test to show the session is not regenerated if it's lazy started? Something that would have failed with my first attempt?
Comment #13
mglaman#11 makes sense to ignore the lazy session for checking if a session has been started during generation. Is there an easy way to test this via kernel tests and a mocked session?
Comment #14
mikelutzNot easily, as I'm finding out. Everything wants to write cookies and headers and can't through the CLI that the tests run in.
Comment #15
mikelutzI think this accounts for the failure on 5.6 and my predicted failure on 7.0
They should both pass without the composer upgrade command.
Comment #16
alexandersluiter CreditAttribution: alexandersluiter commentedFor those looking for the "quick fix" for the time being, mglaman and mikelutz have stated (on Slack) that adding the following conflict in your composer.json file should force a downgrade to v3.4.23. It works in my instance.
"conflict": {"symfony/http-foundation": "3.4.24"}
Comment #17
zengenuity CreditAttribution: zengenuity at DrupalTutor / Zengenuity commentedThe quick fix in #16 worked for me.
This issue completely broke password resets on my site, so it seems like a pretty big deal if that's happening to everyone. (You'd end up with Access Denied when clicking the login link.)
Comment #18
mikelutzIt also significantly affects the installer, and batch processing, among other things, I suspect.
Comment #19
mglamanComment #20
catchThis needs an inline comment as to why we're overriding the logic here.
Given this is a critical regression and we're time-constrained, if there's not an obvious route to testing this, we should consider committing this without test coverage and open up a follow-up for that (or if not commit the composer.json conflicts quick fix instead).
Comment #21
auxiliaryjoel CreditAttribution: auxiliaryjoel commentedHi I'm unable to install Drupal.
I'm using the composer project here:
https://github.com/drupal-composer/drupal-project/
running:
composer create-project drupal-composer/drupal-project:8.x-dev some-dir --no-interaction
which completes successfully.
Once I load the web page in browser and begin the installer steps, it works OK for a few steps: allows me to enter database details, choose the install type, but then I receive this error:
The website encountered an unexpected error. Please try again later.
Drupal\Core\Config\UnmetDependenciesException: Configuration objects provided by standard have unmet dependencies: block.block.bartik_account_menu (block), block.block.bartik_help (help, block), block.block.bartik_search (search, block), block_content.type.basic (block_content), comment.type.comment (comment), contact.form.feedback (contact), core.entity_form_display.block_content.basic.default (text), core.entity_form_display.node.article.default (image.style.thumbnail, comment, image, path, text), core.entity_form_display.node.page.default (path, text), core.entity_form_display.user.user.default (image.style.thumbnail, image), core.entity_view_display.node.article.default (image.style.large, comment, image, text), core.entity_view_display.node.article.rss (core.entity_view_mode.node.rss), core.entity_view_display.node.article.teaser (core.entity_view_mode.node.teaser, image.style.medium, image, text), core.entity_view_display.node.page.teaser (core.entity_view_mode.node.teaser, text), editor.editor.basic_html (ckeditor, editor), field.field.block_content.basic.body (field.storage.block_content.body, text, field), field.field.comment.comment.comment_body (field.storage.comment.comment_body, text, field), field.field.node.article.body (field.storage.node.body, text, field), field.field.node.article.comment (comment, field), field.field.node.article.field_image (image, field), field.field.node.article.field_tags (field), field.storage.node.comment (comment, node, field), field.storage.node.field_image (file, image, node, field), field.storage.node.field_tags (node, taxonomy, field), field.storage.user.user_picture (file, image, field), filter.format.basic_html (editor, filter), filter.format.restricted_html (filter), node.type.article (node), rdf.mapping.comment.comment (comment, rdf), rdf.mapping.node.article (node, rdf), rdf.mapping.taxonomy_term.tags (taxonomy, rdf), taxonomy.vocabulary.tags (taxonomy) in Drupal\Core\Config\UnmetDependenciesException::create() (line 98 of core/lib/Drupal/Core/Config/UnmetDependenciesException.php).
Drupal\Core\Config\UnmetDependenciesException::create('standard', Array) (Line: 485)
Drupal\Core\Config\ConfigInstaller->checkConfigurationToInstall('module', 'standard') (Line: 132)
Drupal\Core\ProxyClass\Config\ConfigInstaller->checkConfigurationToInstall('module', 'standard') (Line: 150)
Drupal\Core\Extension\ModuleInstaller->install(Array, ) (Line: 83)
Drupal\Core\ProxyClass\Extension\ModuleInstaller->install(Array, ) (Line: 1663)
install_install_profile(Array) (Line: 709)
install_run_task(Array, Array) (Line: 584)
install_run_tasks(Array, NULL) (Line: 125)
install_drupal(Object) (Line: 44)
Is that error related to this issue, and if so - is there any way for me to get around this to complete the install correctly?
Comment #22
cilefen CreditAttribution: cilefen commentedJust FYI, the comment above is from #2594351: UnmetDependenciesException when installing Drupal 8. I’ve duplicated two issues onto it.
Comment #23
mikelutzAlso simplified another
$this->started || $this->startedLazy
check that I noticed with $this->isStarted()Comment #24
phenaproximaI encountered this bug today, and spent my entire day bashing my head against the wall over it, after innocently trying to run an update path test (i.e.,
extends UpdatePathTestBase
) which had previously worked. If my experience holds true for core, updating symonfy/http-foundation should cause every single update path test in core to fail. So we could post a fail patch that only updates the dependency, and rely on (for now) the existing implicit test coverage to get this committed.Comment #25
catchOK https://www.drupal.org/project/drupal/issues/3044155 shows we have implicit test coverage for this, mostly in update path testing. Given that and the difficulty of testing this at a lower level, I think this is RTBC.
Comment #26
alexpott@mikelutz I'm not sure about #24. I think it is fine for the class to use the protected properties especially when doing
with the new formulation
There'll be someone in the future who comes along and changes it to
And that would change the meaning of the return value. Not that I'm convinced that the current return value makes much sense when the session is only lazily started but so be it. At least the current code doesn't hide any of this complexity.
Comment #27
alexpottSo on the logic of #26 let's be explicit about what we're doing and not call ::isStarted() internally at all. This makes it nice and explicit about how these two flags are used internally.
Keeping the excellent new docs from #23.
Comment #31
alexpottNote that the test-only patch in #27 is not a test-only patch in the traditional sense - it is a "pseudo max dependency testing" (as per @larowlan) and should pass. If we only did the drupalci.yml changes it would fail because of the error people are experiencing.
Comment #32
larowlanCommitted 3d7ea45 and pushed to 8.8.x. Thanks!
c/p to 8.7.x as 752ad1a4de
Comment #33
jaapjan CreditAttribution: jaapjan for Open Social commented8.6.x is also affected by this issue. Should we also commit this to 8.6.x?
I can confirm the patch works on 8.6.
Comment #34
truls1502I can also confirm it is also affected 8.6.x and the patch worked well.
RTBC for 8.6.x
Comment #35
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commentedWith DrupalCon NA being next week, and 8.6.x being the active stable version... there's gonna be a lot of 'surprised' Drupal users when they go to set up their environment or demo something. I agree, this needs backport to 8.6.x, and ideally it would be good to get out a new 8.6.x release before DrupalCon. Otherwise I'm guessing we're going to see a lot more issues for this.
Comment #36
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commentedComment #37
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commentedMy automated installs of Drupal using Drush are also starting to fail now (only one so far, but there are a bunch on weekly cron so I know many of my projects are going to start going red soon) :( (e.g. https://travis-ci.org/geerlingguy/drupal-vm/jobs/515907080#L2647).
Comment #38
webchickDiscussed with other committers—@alexpott, @larowlan, @Gábor Hojtsy, @plach—and (despite being outside the bug fix window) we recommend putting out a "hotfix" release for this, especially given DrupalCon is next week. One good thing is that
`git diff 8.6.13 8.6.x`
is only the VERSION constant.Tagging for release manager review.
Comment #40
catchCommitted/pushed to 8.6.x, thanks!
Not sure if there's anything else we want to get into a hotfix to avoid doing a further bugfix release, but at least this one should be in it.
Comment #41
neclimdulPretty trivial but 8.6 patch added an extra newline breaking phpcs
Comment #42
geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commentedGah! Sorry about that.
Comment #43
catchPushed a follow-up.
Comment #45
John Pitcairn CreditAttribution: John Pitcairn commentedComment #46
aken.niels@gmail.comI'm not sure, but could this also be related to issues with reset links? All of our client websites seem to return "access denied" pages when users use the "Forgot password" functionality and click on the link from the mail. It seems that the URL returns a decent 302 redirect to the "/user/reset/{uid}" page but does not supply any session cookies, therefor the user is landing on that "/user/reset/{uid}" page and receives a access denied response.
Comment #47
catch@Ambidex yes that issue has been reported before, and is due to the Symfony update, so fixed by this issue.
Comment #48
aken.niels@gmail.comAwesome. I can confirm patch from #36 fixes our following two issues:
Comment #49
VAnnergard CreditAttribution: VAnnergard commentedPatch in #36 also fixes an issue where openid_connect uses sessions to validate the user with StateToken:confirm and a query token.
Comment #50
xjmThe release note on this should be expanded a bit more. It should explain to a site owner what the problem is, how it came about, and how the site is affected. See https://www.drupal.org/project/drupal/releases/8.6.12 for a similar example.
Comment #51
catchI've updated the release notes snippet. @xjm also pointed out we should find or open an upstream issue for this, given it caused a critical bug via a patch release of Symfony.
Comment #52
Scots Tom CreditAttribution: Scots Tom commentedQuick Fix in #16 worked for me.
Thank you
Comment #53
dtv_rb CreditAttribution: dtv_rb commentedMy "composer update" command did not find the new Drupal core version. The "update" page in the Drupal admin backend displays it though. Any idea?
I am on newest stable composer version and the composer.json entry for Drupal core is
"drupal/core": "~8.0",
Comment #54
Berdirit doesn't show up on https://packagist.org/packages/drupal/core, which is based on https://github.com/drupal/core/releases, which is missing that tag. The commits seem to be there, however. Not sure who has access to that these days, might need to wait until the infrastructure team is up, also most people are in Seattle now..
Comment #55
mmjvb CreditAttribution: mmjvb as a volunteer commented@dtv_rb Suggest to create your own support issue, since it is unrelated.
Use "composer prohibits" to find out what stops you upgrading. Suspect webflo or symfony package to pin you to current installed.
Hope for you that you are not on drupal/drupal, which is not meant for updating drupal/core. In which case you need to migrate code base to proper distribution.
Comment #56
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedI found #54 after I reported the issue
#3046516: Drupal core 8.6.14 tag is not pushed to packagist.org
Comment #58
Lennard WesterveldHmm i created a little test
and on the latest Drupal version i get on the read request not hello! back.. i see also that there is a pull request from alexpott https://github.com/symfony/symfony/pull/31215 that should fix this but now there is no private temp date saved for anonymous users which wil break sams logins etc. I think for the private stores etc the issue is not fixed yet? it is fixed to downgrading the "symfony/http-foundation": "3.4.23"
Comment #59
auxiliaryjoel CreditAttribution: auxiliaryjoel commentedJust curious if this issue is all cleared up if I was to use the default process with the composer project:
https://github.com/drupal-composer/drupal-project
or do I need to still adjust settings to avoid the errors?
Comment #60
catchOK Alex Pott and Mike Lutz just informed me that Symfony has reverted this change upstream, making this unnecessary. It's also in a tagged release.
Discussed with xjm what to do since it's release window as we speak... we both think we should:
1. Revert this issue
2. Add an explicit conflict in composer.json
3. probably update to the latest Symfony patch release, although that carries a slight risk depending what the other commits are.
Not sure what to do about 8.6.x yet but that doesn't have to be today.
Comment #61
alexpottHere's a patch that does the revert and bumps the version. Didn't add the conflict because our version in composer.json was
"symfony/http-foundation": "~3.4.26",
so bumped that to"~3.4.27"
Comment #62
alexpottAnd here's a patch for 8.8.x.
Comment #63
mikelutzLooks correct, assuming testbot has no problems with the dependency bump.
Comment #65
catchCommitted/pushed to 8.8.x and 8.7.x.
Moving as 'to be ported' to 8.6.x - we should just do the same probably.
Comment #67
alexpottHere's a patch for 8.6.x
I had to revert 2 commits because there was a coding standards followup.
Comment #68
_dcre_ CreditAttribution: _dcre_ commentedHello
patch #36 does not solve the problem for me
i attach my composer.json
{
"name": "drupal-composer/drupal-project",
"description": "Project template for Drupal 8 projects with composer",
"type": "project",
"license": "GPL-2.0-or-later",
"authors": [
{
"name": "",
"role": ""
}
],
"repositories": [
{
"type": "composer",
"url": "https://packages.drupal.org/8"
},
{
"type": "composer",
"url": "https://asset-packagist.org"
}
],
"require": {
"php": ">=5.6",
"composer/installers": "^1.2",
"cweagans/composer-patches": "^1.6.5",
"drupal-composer/drupal-scaffold": "^2.5",
"drupal/admin_toolbar": "^1.26",
"drupal/allowed_formats": "^1.1",
"drupal/auto_entitylabel": "^2.1@beta",
"drupal/better_exposed_filters": "3.x-dev",
"drupal/bootstrap_datetime_picker": "^1.2",
"drupal/components": "^1.0",
"drupal/console": "^1.0.2",
"drupal/contextual_range_filter": "1.x-dev",
"drupal/core": "^8.6.0",
"drupal/data_encryption": "^1.0@RC",
"drupal/dwr": "1.1",
"drupal/encrypt": "^3.0@RC",
"drupal/encrypt_seclib": "^1.0@alpha",
"drupal/field_encrypt": "^2.0@alpha",
"drupal/field_permissions": "^1.0@RC",
"drupal/mail_login": "^1.0",
"drupal/masquerade": "2.x-dev",
"drupal/menu_item_extras": "^2.4",
"drupal/page_message": "^1.0@beta",
"drupal/pubkey_encrypt": "^1.0@beta",
"drupal/real_aes": "^2.1",
"drupal/redirect_after_login": "^2.5",
"drupal/search_api": "^1.11",
"drupal/shield": "^1.2",
"drupal/timepicker-timepicker": "^1.0",
"drupal/views_autocomplete_filters": "^1.2",
"drupal/views_contextual_filters_or": "^1.1",
"drush/drush": "^9.0.0",
"oomphinc/composer-installers-extender": "^1.1",
"vlucas/phpdotenv": "^2.4",
"webflo/drupal-finder": "^1.0.0",
"webmozart/path-util": "^2.3",
"zaporylie/composer-drupal-optimizations": "^1.0"
},
"require-dev": {
"webflo/drupal-core-require-dev": "^8.6.0"
},
"conflict": {
"drupal/drupal": "*",
"symfony/http-foundation": "3.4.24"
},
"minimum-stability": "dev",
"prefer-stable": true,
"config": {
"sort-packages": true
},
"autoload": {
"classmap": [
"scripts/composer/ScriptHandler.php"
],
"files": ["load.environment.php"]
},
"scripts": {
"pre-install-cmd": [
"DrupalProject\\composer\\ScriptHandler::checkComposerVersion"
],
"pre-update-cmd": [
"DrupalProject\\composer\\ScriptHandler::checkComposerVersion"
],
"post-install-cmd": [
"DrupalProject\\composer\\ScriptHandler::createRequiredFiles"
],
"post-update-cmd": [
"DrupalProject\\composer\\ScriptHandler::createRequiredFiles"
]
},
"extra": {
"installer-types": [
"npm-asset",
"bower-asset"
],
"installer-paths": {
"web/libraries/{$name}": [
"type:drupal-library",
"type:npm-asset",
"type:bower-asset"
]
},
"composer-exit-on-patch-failure": true,
"patchLevel": {
"drupal/core": "-p2"
},
"installer-paths": {
"web/core": ["type:drupal-core"],
"web/libraries/{$name}": ["type:drupal-library"],
"web/modules/contrib/{$name}": ["type:drupal-module"],
"web/profiles/contrib/{$name}": ["type:drupal-profile"],
"web/themes/contrib/{$name}": ["type:drupal-theme"],
"drush/Commands/{$name}": ["type:drupal-drush"]
},
"drupal-scaffold": {
"initial": {
".editorconfig": "../.editorconfig",
".gitattributes": "../.gitattributes"
}
},
"patches": {
"drupal/core": {
"views OR bug": "https://www.drupal.org/files/issues/2018-08-02/manytoonehelper_ignores-2...",
"lazy loading issue": "https://www.drupal.org/files/issues/2019-04-04/3045349-35-86x.patch"
}
}
}
}
Comment #69
moshe weitzman CreditAttribution: moshe weitzman commentedSo, are we going to merge this into 8.6? Would be helpful on my project, for example.
Comment #70
Zekvyrin CreditAttribution: Zekvyrin at zehnplus commentedThe issue still exists on our installation (basically password reset isn't working like mentioned in #3045844).
We have updated drupal to 8.7.2 (which includes everything from here and http-foundation is on 3.4.28). Shouldn't it be working?
We're generating the one-time login link with `drush user:login`. The first time just after `drush cache:rebuild`, it works. And I think it works every 2nd `drush user:login` attempt.
Also we're receiving the message
"You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password."
on the access denied page.
-----
edit: ignore my comment. I figured out that my issue had something todo with something different from our custom modules.
Comment #71
mikelutz@Zekvyrin That doesn't strike me as the same issue necessarily. The specifc changes that caused this issue were reverted in symfony. You may want to open a new issue (it can reference this one, just in case there is some connection). Any steps you can provide to reproduce on a new installation would be helpful.
Comment #72
catchTaking moshe's comment in #69 as an RTBC.
Comment #73
DiDebruThe patch #67 will not apply on 8.6.16 for me.
Comment #74
catchYep, needs a re-roll.
Comment #75
baikhoRe-rolling
Comment #77
catchCommitted c811241 and pushed to 8.6.x. Thanks!
Comment #78
catchComment #80
Abhinaw CreditAttribution: Abhinaw as a volunteer and commentedI have update drupal 8.7.10 which having, Symfony http-foundation has been updated to version 3.4.35 in this release. once I'm getting the reset password link I'm getting forbidden (403) error.
Comment #81
q11q11 CreditAttribution: q11q11 as a volunteer commentedSame here as for /u/Abhinaw.
Updated core to 8.6.18 and have "http-foundation" of version 3.4.35.
Still gaining "You are not authorized to access this page." when trying to use one-time-login-link.
And session cookie is created.
Important moments:
- While I'm using one-time-login-link I'm being logged in and not redirected anywhere, just beholding "You are not authorized to access this page." (while already being logged in);
- I see same "You are not authorized to access this page." when I'm just trying to visit "/user/reset/{uid}" while being logged in ({uid} is just my current uid);
UPD: found custom hook_user_login with redirect response, so this comment is not relevant, sorry for panic :)
Maybe @Abhinaw also have custom redirects that executes on user login;
Comment #82
markusa CreditAttribution: markusa commentedSeeing this on an intermittent basis in Drupal 8.8.8 .. refreshing the page the one time login page works.
Comment #83
Wim LeersRelease note is already present.