Back at the beginning of February, chx (a Drupal master coder) posted a story to Drupal’s homepage asking for people to come together and work on an “elusive login issue” that people had been reporting for over a year. Some users were reporting that no matter how many times they tried to login to Drupal, they would be promptly put back in front of the login form without the anticipated “Unrecognized username or password” error message.
A Simple, Desultory Bug Hunt
(Or How I Was chx'd Into Submission)
At the time I was not able to reproduce the problem, and so couldn’t partake in the bug hunt. But that changed last night…
...for the life of me, I could not log in! I was going to do some work on a client’s website, so I pulled up my development version of it at http://sarah.dev.albin.net (the name’s have been changed to protect the innocent) and, for the life of me, I could not log in! I tried again. And again. I drank some tea. I tried again. I knew that I had the username and password correct, but still no go.
So I tried a different browser (as any first-level support lackey would tell you), and I was magickly able to login with the same username and password. No problems. I drank some more tea. I then headed over to Drupal’s logs and it shows multiple, successful logins just a few minutes before. O… K…
I then dived into the MySQL database and looked at the sessions table to see the most recent session IDs. The last session ID is the one reported in my 2nd browser’s cookie for sarah.dev.albin.net. The third-to-last session ID is the one reported in my 1st browser’s cookie for sarah.dev.albin.net. But where’s the second-to-last session ID coming from?
Nobody is trying to login besides me; I’m on a private nework! Should I look for script kiddies next to the dust bunnies in my office? And then I spot it! That mysterious session ID is the same as the one on my 1st browser's cookie for albin.net!
It all came together for me then… the browser was sending both cookies (because they both match the tail end of the sarah.dev.albin.net server name), but Drupal was only able to see the albin.net cookie; the wrong cookie!
A Critical Bug
Because this bug prevents users from successfully logging in, this is actually a critical bug. :-D …should I be giddy for finding a critical bug? :-( erm… Anyway, moving on… I’ve posted a patch to Drupal core over at http://drupal.org/node/56357 and hopefully it will get rolled into the not-yet-released Drupal 5.2 and Drupal 4.7.7.
…and the reason I had never experienced that login bug until last night? I had finally gotten around to installing Drupal on www.albin.net a few weeks ago. There were simply no albin.net cookies in my browser before. Oh, the humanity!