Drupal 10, the latest version of the open-source digital experience platform with even more features, is here.After enabling the Subdirectories module (hosting_subdirs) to allow Aegir to support subsites (sites within a path off the [sub]domain URL), I discovered that it's impossible to log in, even if using drush uli.
Drupal always returns "Permission denied", code 403 Forbidden.
This is because session construction doesn't happen due to the improper placement of cookies.
For subdirectory sites, Aegir should be adding cookie settings from Configure settings.php and .htaccess to redirect subfolders properly to settings.php, but it doesn't. (I originally discovered this from Setting $cookie_domain variable for specific folder structure).
Related: We should keep track of the security implications by following #2515054: [PP-1] Session and other cookies may leak to other apps when Drupal is in a subdirectory.
I'm planning to fix this in the Subdirectories module by following Programmattically modifying Settings.php.
Comments
Comment #2
colanMoving to Provision as there's already scaffolding there.
Comment #4
colanComment #5
helmo CreditAttribution: helmo at Initfour websolutions commentedLooks simple enough
Comment #6
helmo CreditAttribution: helmo at Initfour websolutions commentedalready committed
Comment #7
memtkmcc CreditAttribution: memtkmcc at Omega8.cc commentedInteresting, we hadn’t noticed that problem in BOA because we have a custom code in the global.inc we never backported to Aegir, which allowed this to work on Nginx/BOA. Good find!
Comment #9
colan