Results 1 to 8 of 8

Thread: Problems accessing a Drupal site (PHP Cookies)

  1. #1
    salvis Guest

    Default Problems accessing a Drupal site (PHP Cookies)

    The Drupal CMS uses a PHP cookie for managing the user session. Typically, I can log in and work normally on the site, but every few days I suddenly lose my session, i.e. after a page request I suddenly find myself logged out, and I can't log back in. From that point on, all login attempts are logged as successful in the Drupal log, but for me as the user they don't catch on, i.e. I continue to be unauthenticated. This is the behavior that would be expected when cookies are disabled. The browser does get a cookie, though, but there seems to be something wrong with it.

    I'm using ZoneAlarm Security Suite 6.5.737.000, and here's where ZA enters the picture: the sad state above usually sticks for a day or so, and then suddenly everything works again. But I can also fix the problem by removing the site from the Privacy list, re-adding it, and allowing cookies again. From then on it works just fine for another couple of days...

    It seems like ZA occasionally trashes one of its records. I've observed this behavior for a couple of years (!) already, with headers, ads, and now with cookies, on different computers, under different Windows versions and with different ZA versions, accessing different websites. It happens relatively rarely, so it's very hard to reproduce, but now that I spend a couple of hours on that specific Drupal site every day, it happens at least once a week. I'm in the process of building that site, and I could sort of live with the occasional ZA glitch, but now one of my early test users has reported the same problem (he's using ZA, too, of course). Should I tell him to throw out ZA?

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.5

  2. #2
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: Problems accessing a Drupal site (PHP Cookies)

    In ZA do you have your cookies set to expire?
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  3. #3
    salvis Guest

    Default Re: Problems accessing a Drupal site (PHP Cookies)

    No, not for this site. For this site, all check boxes are clear.

    Session cookies should actually be enough, but the site is mine and I haven't tried to narrow down the cookies to a minimum yet.

  4. #4
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: Problems accessing a Drupal site (PHP Cookies)

    DO you have the privacy advisor turned on?
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  5. #5
    salvis Guest

    Default Re: Problems accessing a Drupal site (PHP Cookies)

    No, it was off. In fact I had been wanting to turn it on for a long time, but I didn't remember what it was called and where to find it, so I kept checking the System Tray Alert check box, thinking it should be the Privacy Advisor.

    Your naming the thing has finally allowed me to realize my mistake, look it up in Help, and turn it on. It'll be interesting to see what it says, but it can take a few days until the problem pops up again -- I'll be back when it does...

    Thank you for now!

    Hans

  6. #6
    salvis Guest

    Default Re: Problems accessing a Drupal site (PHP Cookies)

    Well, I didn't have to wait that long...

    Privacy Advisor shows Cookies and Private Headers blocked. If I click the link in Privacy Advisor, I get the correct site in the Privacy site list, and looking at the Options|Cookies page, all checkboxes are clear (except Show Privacy Advisor). Yet, as I click Browser Refresh again and again, Privacy Advisor keeps insisting that Cookies and Private Headers are blocked, and I remain unauthorized.

    I've cleared the entry for that site, and Privacy Advisor still shows Cookies and Private Headers being blocked, but ZA doesn't add the site to the list.

    Now I've added it, still blocking C and PH. Now looking at Options|Cookies, two checkboxes are checked: Block 3rd party cookies and Remove private header information (this is my default).

    I don't understand why there should be a 3rd party cookie at all. The browser does receive a cookie for http://www.example.com/user:

    Name PHPSESSID
    Value 8844928073ae73bd5ff7860e73cb741a
    Host www.example.com
    Path /
    Secure No
    Expires At End Of Session

    The Response headers are (numbers changed to words):

    Date: Tue, 23 Jan 2007 21:12:39 GMT
    Server: Apache/two.oh.fiftythree (Linux/SUSE)
    X-Powered-By: PHP/four.three.ten
    Expires: Sun, 19 Nov 1978 05:00:00 GMT
    Last-Modified: Tue, 23 Jan 2007 21:12:39 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Content-Length: 2903
    Keep-Alive: timeout=15, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8

    200 OK


    Disabling Remove private header information stops PA mentioning PH and the browser gets:

    Date: Tue, 23 Jan 2007 21:16:29 GMT
    Server: Apache/two.oh.fiftythree (Linux/SUSE)
    X-Powered-By: PHP/four.three.ten
    Expires: Sun, 19 Nov 1978 05:00:00 GMT
    Last-Modified: Tue, 23 Jan 2007 21:16:29 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked

    200 OK

    The only additional header is "Transfer-Encoding: chunked". Not very exciting...
    In fact, Transfer-Encoding is a standard header (see http://www.w3.org/Protocols/rfc2616/....html#sec14.41), so filtering it as a private header seems to be a bug in ZA.


    Now, disabling Block 3rd party cookies allows the log in to catch on again, but I still see only one cookie (in Web Developer under FF2), for http://www.example.com/user/2 now:

    Name PHPSESSID
    Value 113eba81f362b7c7a9102c04174cd871
    Host www.example.com
    Path /
    Secure No
    Expires At End Of Session


    It seems that when ZA blocks the cookie it doesn't block receiving it but it blocks returning it to the server with the next request, so the server just keeps sending a new one and never gets one back. As to why ZA thinks it's a 3rd party cookie is completely mysterious, just like why it suddenly starts filtering it for no reason.

    For many years already I have occasionally observed similar behavior with thumbnails suddenly being filtered as ads and (true) private headers suddenly being filtered. I'm a programmer myself, and this looks as if ZA is holding the list of sites in memory, and it occasionally trashes a site name, so that that site falls back to the default values, because its custom entry isn't found anymore. Now, if we could somehow pass this on to the ZA programmers -- if they'd add a checksum to the site names, they'd find this long-standing bug pretty quickly...

    I think that's about as much information as I can gather here -- does this tell you something?

    Hans

  7. #7
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: Problems accessing a Drupal site (PHP Cookies)

    Go into your browser and turn off the privacy features in it, or turn them down a bit. Also any other programs that are protecting your privacy.
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  8. #8
    salvis Guest

    Default Re: Problems accessing a Drupal site (PHP Cookies)

    Thank you for your message! Why would that help? I'd like to understand what I'm doing and why, especially when lowering my guards and recommending others to do the same.

    Sometimes I can run just fine for a few days with the privacy features as they are, and when the login breaks, removing and recreating the ZoneAlarm entry for the site has always restored access immediately. This seems to point to ZoneAlarm more than to any other privacy guards, or what am I missing?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •