I have tried in all various ways but it seems just impossible to stay logged in,
update.php always gives 'Access denied' unless I set $update_free_access = TRUE; but in any case clicking the Administration link when the upgrade is done always give 'Access denied' as well.
I wonder if it can have to do with the fact that I'n not using .htaccess (=slow) but instead put all content of .htaccess in to my apache virtual host container. This of course require a restart/reload of apache as as there are some changes but I have tried to tweak that step as well but still when running update.php I'm already logged out of my session.
If would be comforting to first of all hear anyone say they have succeeded stay logged in all the way, not that I can't live with it as once logged in all is ok, but if it's a question of using .htaccess or not I think the should be addresses, if nothing else in the documentation, like UPGRADE.txt which I'm taking part of improving for D7 release.
Comment | File | Size | Author |
---|---|---|---|
#50 | 945112-50-upgrade-session.patch | 3.47 KB | carlos8f |
#48 | 945112-48-upgrade-session.patch | 3.44 KB | carlos8f |
#38 | 945112-38-upgrade-session.patch | 4.57 KB | carlos8f |
#34 | 945112-34-upgrade-session.patch | 5.64 KB | dalin |
#29 | 945112-29-upgrade-session.patch | 4.01 KB | carlos8f |
Comments
Comment #1
itserich CreditAttribution: itserich commentedI am subscribing because I am unable to stay logged in after changing hosts from shared to vps.
Drupal 6 but still interested if you get any responses.
Comment #2
itserich CreditAttribution: itserich commentedYour comment about .htaccess caused me to recall I had disabled boost module which had some .htaccess modifications.
Enabling the module resolved my problem.
So thank you and hope you get or got a resolution.
Comment #3
zirvap CreditAttribution: zirvap commentedI just tried an upgrade (in order to test #949102: Polish UPGRADE.txt), and I got logged out too.
1. Logged in as user 1
2. Set the site in maintenance mode
3. Replaced files as described in http://drupal.org/files/issues/UPGRADE_20.txt
4. Went to mysite.com/update.php
5. Got the following message:
6. Tried mysite.com/user but got an error message
7. Changed settings.php as described
8. Ran update.php successfully
Comment #4
steinmb CreditAttribution: steinmb commentedI think the problem is that we are rehashing all user passwords during the upgrade #29706: More secure password hashing and keeping the session cookie after this is done is rather difficult.
Comment #5
carlos8f CreditAttribution: carlos8f commentedI've been bitten by this, too. I seem to have to set $update_free_access = TRUE every time I attempt an upgrade. I don't think this has to do with .htaccess at all, however. It would be nice to work this out since setting $update_free_access = TRUE is neither convenient nor secure.
Comment #6
David_Rothstein CreditAttribution: David_Rothstein commentedThis has been annoying me too.
I believe it resulted from #723802: convert to sha-256 and hmac from md5 and sha1, which changed Drupal's session generation code from using md5() to sha256 hashes. So the Drupal 6 session you have in your cookie is totally unrecognized by Drupal 7.
In particular, compare the last lines of these functions:
Drupal 6: http://api.drupal.org/api/drupal/includes--bootstrap.inc/function/conf_i...
Drupal 7: http://api.drupal.org/api/drupal/includes--bootstrap.inc/function/drupal...
Not sure if we could fix this - maybe update.php could have some code which (only for D6->D7 upgrades, and only for user 1), sets a new cookie if it sees you have a valid old cookie that matches a session in the database?
Comment #7
carlos8f CreditAttribution: carlos8f commented@David that sounds about right. Here's a quickie rewrite of update_access_allowed() as a possible approach.
Comment #8
SolaFide001 CreditAttribution: SolaFide001 commentedI'm wondering if this could be a more widespread problem than this report indicates - I'm trying to upgrade a test system from D6.16 to D7b3 on a local linux box. Upgraded successfully to 6.18, then followed UPGRADE.txt for D7. upgrade.php ran successfully, but I was unable to access admin pages (404 errors). I have a separate D7b3 install (different directory and DB), so cut and pasted urls from there, modifying for the correct Drupal installation, and got the same (404) error, regardless of the admin or user page sought.
The upgraded site shows up correctly, but I can not access the admin screens. One page I tried did contain the login fields, but my login (correct) was not accepted and I could not log in for about 45 minutes. Now I can log in, but clicking on any admin link (such as Configuration) gives 404 error.
Could this be related to clean URLs? I tried to reset them (they were being used on the D6.16 system), but I can not access the pages to alter them after the upgrade.
Comment #9
carlos8f CreditAttribution: carlos8f commented@SolaFide001, 404 (page not found) errors are not to be confused with 403 (access denied) errors, so that is not entirely relevant here. It sounds to me like you have the clean URL option enabled but the .htaccess file is missing or not properly rewriting those URLs. If you need more help, please open a support ticket or try IRC #drupal-support.
Comment #10
SolaFide001 CreditAttribution: SolaFide001 commentedThanks @carlos8f - I posted this originally because I was getting access denied errors, which later became 404 errors.
As an aside, I was using the default .htaccess file from D7b3. I removed it to see if there was any change, and there was not.
Comment #11
dalin@carlos8f it looks like your approach introduces a requirement that the upgrade be performed by UID 1 which we don't currently have.
Also you may as well use user_load() rather than building up the user from scratch. We don't do that during a regular page load for performance sake, but here the code efficiency is probably worth it.
Comment #12
carlos8f CreditAttribution: carlos8f commented@dalin, for an upgrade, we do require either a UID 1 session or $update_free_access=TRUE. So my approach is not introducing anything new. Due to hashing changes, D6 sessions no longer work once the D7 code is uploaded, which means you must use $update_free_access. I think setting that variable should be a last resort, not a requirement to upgrade.
I'd like to raise this to 'major', as it touches the upgrade path and affects anyone attempting to upgrade.
Also, user_load() is probably broken at this point in update.php since we have D7 code and a D6 database. That's my reasoning for building $user from scratch.
Comment #13
dalinAh of course, I obviously need to take a nap. Everything that you've said is sound.
Comment #14
dalinWell I was kind-of right. Your approach doesn't work if the user is not UID 1, but $update_free_access == TRUE. I also found what may be an easier way of loading the user object - by calling _drupal_session_read(). I manually tested an upgrade and it works as expected - you stay logged in.
Comment #15
carlos8f CreditAttribution: carlos8f commentedPatch looks great. Let's get some other opinions though. I think this is close to RTBC.
Comment #16
David_Rothstein CreditAttribution: David_Rothstein commentedHm, this didn't seem to work for me when I tested it out :( I didn't have time to debug further, but will try to soon.
Apart from that, this looks good except for a couple of things:
which could be used to make sure this only can happen during the D6->D7 upgrade, never again.
My only other thought is that it seems this patch will leave an odd backdoor where if any user of the site hits update.php before updates are run (even without access to it), they can regenerate their session and prevent themselves from getting logged out during the D6->D7 upgrade? I guess that ought to be completely harmless, but somehow it makes me feel a tiny bit uncomfortable anyway :)
Comment #17
ctmattice1 CreditAttribution: ctmattice1 commentedTried the patch in #14
In my case it didn't work. This concerns more the session variable than anything on my attempt. Since the other issue was closed as duplicate I posted here.
Senario,
A d5 system updated to 6.19
user 1 is NOT logged in, $update_free_access is set to TRUE.
system clogs around updating (extremely slow)
update completes.
Ajax error box pop's up with
* Notice: Undefined index: update_success in update_results_page() (line 162 of C:\sites\d6d7\update.php).
* Warning: reset(): Passed variable is not an array or object in update_results_page() (line 166 of C:\sites\d6d7\update.php).
* Warning: array_pop(): The argument should be an array in update_results_page() (line 166 of C:\sites\d6d7\update.php).
I can log into the updated site. it ask me to change my timezone setting and works. This is an old bug and every patch I've tried hasn't worked.
Comment #18
carlos8f CreditAttribution: carlos8f commentedIt occurred to me that we might be able to work this into the upgrade tests -- instead of creating a user #1 session with D7 hashing in UpgradePathTestCase::setUp(), we could create one with D6 hashing and have the upgrade convert that session.
Comment #19
carlos8f CreditAttribution: carlos8f commentedThis patch combines the ideas of #16 and #18, and works in theory (the upgrade tests are passing, but I haven't tried an actual upgrade).
Comment #20
carlos8f CreditAttribution: carlos8f commentedI tried an actual upgrade and it didn't work. I found the cause to be that $cookie_domain causes the session name assignment to not be idempotent. So you get two different session names running that logic twice, if $cookie_domain isn't set in $conf.
I removed support for $cookie_domain then, which should only affect a minority of sites. I successfully stayed logged in through an upgrade with this patch.
Comment #21
ctmattice1 CreditAttribution: ctmattice1 commentedApplied the patch in #19 to dec. 4 tarball, same results
* Notice: Undefined index: update_success in update_results_page() (line 162 of C:\sites\d6d7\update.php).
* Warning: reset(): Passed variable is not an array or object in update_results_page() (line 166 of C:\sites\d6d7\update.php).
* Warning: array_pop(): The argument should be an array in update_results_page() (line 166 of C:\sites\d6d7\update.php).
Could this possibly be related to ajax losing data? just pondering, not familiar enough with bootstrapping to know where to start looking.
[note: since this is an edit to correct wrong patch #, currently running update on #20 now, will post back results]
Comment #22
carlos8f CreditAttribution: carlos8f commented@ctmattice1,
Can you specify what issue was closed as a duplicate? From the looks of your error report it doesn't look related to this issue at all.
Comment #23
ctmattice1 CreditAttribution: ctmattice1 commented@carlos8F - the other is #826640: Update results page missing session data, causing "Undefined index: update_success" notice and "aborted prematurely" message
but in that issue I have a user 0 until I run the upgrade. the unassigned index $update_sucess that shows in that issue is repeated in this issue. There are others as well, can't remember, some open, some not.
I REALLY don't care if this get's fixed now or not. It is a nuance more than anything else.
I picked this issue as it was similar.
Yes on update I am logged out.
Yes $update_free_access is set to TRUE
Yes I run the update and get errors
Yes this is probably D8 material now.
No I do not have a user 0 after upgrading but can add it to correct other issues.
No Patch in #20 did not work either on this particular db update attempt.
Yes it updates, yes I can log in, yes it is still in maintenance mode (this was never a issue I experienced)
Still annoying and I haven't been able to figure out this one at all so I keep searching. Any suggestions??
Comment #24
carlos8f CreditAttribution: carlos8f commented@ctmattice1, if you have no user 0, something went wrong when you copied the database, so this is not a bug in Drupal. I created an issue for D8, #989852: Kill uid=0 requirement, to get rid of this dependency since it's very commonly missing in databases copied with phpMyAdmin, etc.
Comment #25
David_Rothstein CreditAttribution: David_Rothstein commentedThe patch in #20 worked for me.
I thought we could make the cookie domain stuff work by removing the part of patch #19 that makes it non-idempotent (since this code isn't necessary for what we're doing anyway):
But the deeper part of the problem is that drupal_settings_initialize() in Drupal 7 will set $cookie_domain for everyone as soon as it's called, so we can't (easily) distinguish between people who actually had $cookie_domain defined in their settings.php and people who did not. By the time our code gets called, everyone has it defined.
There's probably a way to fix that, but I guess it's not worth the effort unless someone clamors for it.
Comment #26
dalin#20 works for me. Patch generally looks good. I do see that this code runs on every page load during the update process. Would it make sense to make it just run once?
Comment #27
ctmattice1 CreditAttribution: ctmattice1 commented@carlos8f - "if you have no user 0, something went wrong when you copied the database"
Thanks, I checked my user table and found that the copied database did not have uid 0. I added it, ran the update and it took care of the error. I guess I should have picked up on this on the other issues but took for granted that phpmyadmin would do an exact copy. Ha, think I need to think twice about making assumptions. I'll follow the new issue #989852: Kill uid=0 requirement you started.
Comment #28
carlos8f CreditAttribution: carlos8f commented@David, that was what I was trying to say (at 3am) but you explained it better -- at this point in the bootstrap, it's hard to tell whether $cookie_domain is set in $conf or not. This latest patch attempts to load settings.php and only use $cookie_domain if it is set there.
@dalin, it would make sense to regenerate the session only once, but there are complications. For example under SSL, D7's session handling requires a new 'ssid' field that doesn't exist at the time of our code. I messed around with various approaches and this was the best I could come up with that actually works.
Comment #29
carlos8f CreditAttribution: carlos8f commentedOops, missed a semicolon.
Comment #30
dalinIf this is the case shouldn't we be calling drupal_settings_initialize() again at the end of this function to set things back.
Comment #31
carlos8f CreditAttribution: carlos8f commentedNo, update_get_d6_session_name() does not modify any globals. It's a read-only function, and it tries to read the original value of $cookie_domain from settings.php, but doesn't change it.
Comment #32
dalinAh I see now.
I think this is good-to-go.
Comment #33
David_Rothstein CreditAttribution: David_Rothstein commentedCan't including settings.php twice on the same page request have unintended side effects? I think it can. (I've seen people put all sorts of interesting custom logic in settings.php for various reasons.)
An alternative might be to have drupal_settings_initialize() store the original cookie domain from settings.php in a separate global variable, $cookie_domain_original or something, before it thinks about modifying it. That would allow anyone who needed the same information that we need here to get at it also, with no side effects.
Comment #34
dalinAh right. I've run into that exact trouble before so I should've caught that. This one uses $cookie_domain_original.
Comment #35
carlos8f CreditAttribution: carlos8f commentedTrailing whitespace.
I would use
!isset($cookie_domain_original)
here. === NULL is a little hard to grok unless you realize that $cookie_domain_original may be initialized to NULL when declared a global.Er...
Since you made sure that $cookie_domain_original is initialized, you can simply do
if ($cookie_domain_original)
Comment #36
David_Rothstein CreditAttribution: David_Rothstein commentedAs @carlos8f said, at least this should use isset(), but do we even need the check at all? I can't think of a scenario where we want or expect this variable to have been set by someone else beforehand.
I'm thinking we probably don't need that either. Couldn't we just leave $cookie_domain_original unset if it's not being used?
Otherwise, this patch looks pretty good - I think it's close to being ready. I haven't dug 100% deeply into the session stuff yet, but I know from previous patches (and the test) that it seems to be working :)
Comment #37
carlos8f CreditAttribution: carlos8f commented@David, sounds good. I'll give it a re-roll tonight.
Comment #38
carlos8f CreditAttribution: carlos8f commentedHere are the changes:
- Addressed #35 and #36.
- $cookie_domain_is_custom instead of $cookie_domain_original (TRUE flag instead of a semi-useless copy)
- Ripped out superfluous comments in update_get_d6_session_name() copied from drupal_settings_initialize().
I think this is pretty close to RTBC too.
Comment #39
dalinAh I tried to beat Carlos to the patch but ran out of time. My reasoning for the apparent oddness with NULL vs. ''; Is that drupal_settings_initialize() can be called twice in one page load. Doing so a second time without the funny logic would overwrite a previous value. While it would be odd to do so, there is nothing that prevents calling it twice.
Comment #40
carlos8f CreditAttribution: carlos8f commented@dalin I don't see the tangible benefit from calling drupal_settings_initialize() twice, or bending over backwards to facilitate that :)
Comment #41
mo6I tested the patch in #38 on a clean D6.19 install and it works fine: I stay logged in as an admin and can complete the upgrade without having to edit settings.php.
Comment #42
mo6I still see some minor code clean up to be done (removing excess space around string constants)
Comment #43
carlos8f CreditAttribution: carlos8f commented@george, not sure what you mean about excess space.
Comment #44
mo6My bad, seems my information wasn't up to date: http://drupal.org/coding-standards#concat (sometimes still living in D4.6 times :)
Comment #45
David_Rothstein CreditAttribution: David_Rothstein commentedI was confused about $cookie_domain_is_custom for a second but then realized that it's because $cookie_domain never gets modified in the case where the user provides it in settings.php (only in the other case). So that definitely makes sense.
Considering that calling drupal_settings_initialize() twice can currently cause problems anyway, I agree we don't have to try to start supporting it here.
I think this one is good!
Comment #46
Damien Tournoud CreditAttribution: Damien Tournoud commentedNot close to ready.
"session.inc" is pluggeable. You need to use the proper variable here.
This is a private function of the session implementation. You just cannot call it directly. I think you want session_start() here.
The rest of the patch is not very very pretty. What we actually care about is $session_name... if $cookie_domain is the session name (that we can check by recomputing the hash), we should just use that, if it isn't we should rebuild it using the D6 algorithm (explode('://', $base_url, 2)). I'm not convinced there is any need to modify drupal_settings_initialize() at all.
Comment #47
David_Rothstein CreditAttribution: David_Rothstein commentedI don't think session_start() will work here. And supporting this behavior for people using pluggable sessions during the D6->D7 upgrade seems like a nice-to-have :)
But..... is there any reason we can't just remove those two lines from the patch entirely? I.e. these lines:
I tried it quickly and it seemed to work. Essentially, we'd still be modifying the cookie/etc in this part of the code, but then let Drupal read the session at the same part of the bootstrap that it normally would.
The idea of checking $cookie_domain by recomputing the hash also seems to make a lot of sense.
Comment #48
carlos8f CreditAttribution: carlos8f commentedWow, thanks @Damien and @David, this patch got a lot simpler. I ran the tests successfully after setting a custom $cookie_domain, so it looks like that part is working. Nice.
Comment #49
David_Rothstein CreditAttribution: David_Rothstein commentedAre you sure $is_https is the right thing to check here? Looking at the code in drupal_settings_initialize() it seems
ini_get('session.cookie_secure')
would be better.Otherwise, looks great to me. And I think it addresses all of Damien's concerns.
Comment #50
carlos8f CreditAttribution: carlos8f commentedGood catch, we do an ini_set() if $is_https=TRUE in drupal_settings_initialize(), but otherwise fall back on the ini_get().
Now the patch is pretty (tm)
Comment #51
Damien Tournoud CreditAttribution: Damien Tournoud commentedIssue summary: this patch allows the Drupal 6 session cookie (that has a name in the form
'SESS' . md5($session_name)
) to work during upgrade.The code looks sounds and this is an important usability improvement for the upgrade process.
Comment #52
dalinJust a correction, it is not only a usability improvement, but also fixes several PHP warnings during the upgrade that make the upgrade appear to have failed:
#986846: PHP warning during upgrade causes apparent premature abortion
Comment #53
Damien Tournoud CreditAttribution: Damien Tournoud commented@dalin: no. Those warnings are caused by a missing uid = 0.
This issue is just an usability improvement.
Comment #54
webchickNice work on this, folks.
Committed to HEAD.