It is very often when you enable OpenID module in Drupal and try to login with OpenID, you receive Page not found, whilst everything works quite fine at localhost.
The problem occurs after you have authenticated at OpenID provider website and it is redirecting you back to your website with URL in format: http://www.gerixsoft.com/openid/authenticate?destination=user&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&...
The problem is that params of this redirect URL contain another URL. Such kind of URLs are considered dangerous and are very often blocked by hosters by means of Apache mod_security module; it is mod_security that actually generates 403/404/Page not found.
One solution is to follow guidelines found on the net and ask your hosting provider to disable 1234234, 340151, 340153, 340163 mod_security rules. However after some time modifications may be reset and you will face the problem again. Another option is to totally disable mod_security but this may expose your site to even bigger problems, don't do that.
The solution I have come to is to selectively reverse the effect of mod_security in PHP code. The patch I have developed undoes 403/404 generated by mod_security for OpenID URLs only, rest of URLs are not touched. So both OpenID works and website is protected.
Just open index.php and put below snippet at line 20, just below $return = menu_execute_active_handler(); code:
// © by Andriy Gerasika from GerixSoft, Ltd. if (is_int($return) && $return == MENU_NOT_FOUND) { $uri = $_SERVER['REQUEST_URI']; $path = parse_url($uri, PHP_URL_PATH); if ($path == '/openid/authenticate' || ereg('^/user/[0-9]+/openid$', $path)!=false) { $path = substr($path, 1); $query = 'q=' . $path . '&' . parse_url($uri, PHP_URL_QUERY); $_SERVER['QUERY_STRING'] = $query; parse_str($query, $_REQUEST); parse_str($query, $_GET); $return = menu_execute_active_handler(); } }
P.S.
Now, once OpenID works in Drupal ok, you may give a try to my OpenID Selector Drupal module ;)
Comments
OpenID 403 message
Inserting your code snippet in index.php does not stop 403/404 error. Is there an additional change that accompanies your patch?
Drupal version
What Drupal version do you use? This patch is for Drupal 6
Drupal version
I am using version 6.19.
Perhaps it is basepath
hmm, this patch is for Drupal 6.19+ and I use it with HostGator hosting provider.
Does your website runs on subdirectory? i.e. http://www.somehost.com/drupalbasepath/?
Drupal path
I too am using Hostgator, and yes, Drupal base directory is one below the root.
Must enhance the patch
That's the case -- all my sites use subdomains, patch needs to be enhanced to handle websites in a subdirectory.
If you have the opportunity, please enhance the patch on your own. I will have free time slot no sooner than Jan 8-9.
Here it is
here is updated version handling Drupal installations in a subdirectory:
Still 403
Hi Andriy,
I am on Drupal 6.20, with Drupal installed in the topmost directory.
I inserted your code (both versions: with and without subdirectory), but cannot get it to run. More frustrating: it shows the exact same behaviour as before. I've been trying to set this up for hours and cannot get any further. Do you have a another hint? Is there any other place to tweak something?
regards
Marco
Do you use some caching
Do you use some caching module? Using Boost module for example requires tweaking
Send me URL of the website in question, is .htaccess file not "heavily" modified?
Hi Andriy , thanks for your
Hi Andriy ,
thanks for your help - I got it working after some hours.
It was confusing. My hoster would not remove any of the mod_security rules. At the support they also tried to reproduce my setup with a fresh installation of drupal which seemed to work for them. So I was on my own again.
While working out the exact error, I tried to disable mod_security for my own IP address and somehow messed up the .htaccess (some weird encodig/Unix line ending mixup) and shutdown the whole site accidentally.
Once I got back on track everything started to work magically and continued even after I removed the mod_security disabling code and changed my IP address.
So I don't know where the error was. Caching (I don't use Boost) might have interfered - as it is often the case with strange errors.
Thanks again for your work.
Marco
Thanks
Andriy! Just wanted to say thanks for providing this fix. It's easy to find with Google and fixes the problem.
It would have taken me quite a while to understand what was going on without your help.
henrik
Post new comment