Problem/Motivation
Drupal login requires user browser cookie support. However, in the case that a user does not have cookies enabled and attempts to log in, no error message is given. Instead, the user is returned to the /user/{uid}
page with 403 error code. As well as being a bug, the lack of cookie notification constitutes a key usability barrier in that users who hit the bug have no cue as to what is needed in order to log in.
Related issue at install time: #791004: Installer does not warn the user that cookies must be enabled with the correct cookie domain (and fails when they aren't).
Other PHP applications by way of comparison:
Wordpress:
Code is in http://core.svn.wordpress.org/trunk/wp-login.php. Prior to login, a test cookie is set:
//Set a cookie now to see if they are supported by the browser.
setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
if ( SITECOOKIEPATH != COOKIEPATH )
setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
A hidden element is added to the login form:
<input type="hidden" name="testcookie" value="1" />
On login attempt, if the testcookie flag is set but the test cookie is not present, an error is raised:
// If cookies are disabled we can't log in even with a valid user+pass
if ( isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE]) )
$errors->add('test_cookie', __("<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use WordPress."));
Joomla: Reportedly doesn't provide user feedback on cookie failure; see this forum post.
Symfony: Cookie handling doesn't appear to include a test for browser cookie support.
Proposed resolution
The proposed patch takes the following approach:
- Add a querystring parameter "state=check_logged_in" upon login form submission.
- On Kernel Request, if the parameter exists and the user is not actually logged in, then we know they don't have cookies enabled so we set a form error.
Remaining tasks
- Additional test coverage,
and/or remove "Needs tests" tag Drupal\Core\EventSubscriber\MaintenanceModeSubscriber::checkUserCookies
should be moved to a better appropriate ServiceSubscriber such as: Drupal\Core\EventSubscriber\AnonymousUserResponseSubscriber
. For now, the checkUserCookies
has nothing in relation with the MaintenanceMode
Discuss about the comment of #217 of user_login_form_submit hook. What was the purpose should we keep it? The current patch was an initial draft. Several other possibilities have been suggested since, with no clear consensus as yet. #145 includes a reasonably current summary of options. Latest comment from D8 maintainer catch: "I don't like either the double redirect option, or the runtime check on every page here, but neither do I have any better ideas - would be good to get some feedback from others."#138 reports the following issue with the patch: "if the user logs off and uses the browser's history or back button to return to the page containing the "state=loggedin" query, then the cookie warning message is displayed when it shouldn't be. It would be possible to reword the message to allow for this possibility, absent a better solution."#123: "some of the information in this issue needs to be added to user_init() in a comment if we go for this option."The current patch generates two errors. From #160: "Those two failures look like they're specific to the solution here (probably code that expects a specific URL after logging in and therefore gets confused by the new ?state=loggedin). So not worth fixing unless this is the actual solution we're going with."Given that this is a common need that's been addressed in many other PHP applications but not in Drupal, we'd do well to look around. Some information is above in the issue summary. More research welcome.
User interface changes
Users attempting to log in will receive an error message if they don't have cookies enabled.
API changes
Modifies the user login process by adding a query string "state=loggedin" and testing for it during KernelEvents::REQUEST.
Original report by anders
since drupal relies on cookies for logging in, not warning the user if the cookie is not allowed is plain old stupidity.
We need a warning to regular user (on an already installed Drupal site) that they need to enable cookies to be able to log in on the site.
Right now nothing is displayed if cookies and not enabled and the user have not clues as to why.
We did have a patch (but it need a reroll), and a test.