How to Fix "Page not found" / 403 / 404 Error in OpenID module in Drupal

It is very often when you enable OpenID module in Drupal and try to login with OpenID, you receive Page not found, whilst everything works quite fine at localhost.

The problem occurs after you have authenticated at OpenID provider website and it is redirecting you back to your website with URL in format: http://www.gerixsoft.com/openid/authenticate?destination=user&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&...

The problem is that params of this redirect URL contain another URL. Such kind of URLs are considered dangerous and are very often blocked by hosters by means of Apache mod_security module; it is mod_security that actually generates 403/404/Page not found.

One solution is to follow guidelines found on the net and ask your hosting provider to disable 1234234, 340151, 340153, 340163 mod_security rules. However after some time modifications may be reset and you will face the problem again. Another option is to totally disable mod_security but this may expose your site to even bigger problems, don't do that.

The solution I have come to is to selectively reverse the effect of mod_security in PHP code. The patch I have developed undoes 403/404 generated by mod_security for OpenID URLs only, rest of URLs are not touched. So both OpenID works and website is protected.

Just open index.php and put below snippet at line 20, just below $return = menu_execute_active_handler(); code:

// © by Andriy Gerasika from GerixSoft, Ltd.
if (is_int($return) && $return == MENU_NOT_FOUND) {
	$uri = $_SERVER['REQUEST_URI'];
	$path = parse_url($uri, PHP_URL_PATH);
	if ($path == '/openid/authenticate' || ereg('^/user/[0-9]+/openid$', $path)!=false) {
		$path = substr($path, 1);
		$query = 'q=' . $path . '&' . parse_url($uri, PHP_URL_QUERY);
		$_SERVER['QUERY_STRING'] = $query;
		parse_str($query, $_REQUEST);
		parse_str($query, $_GET);
		$return = menu_execute_active_handler();
	}
}

P.S.
Now, once OpenID works in Drupal ok, you may give a try to my OpenID Selector Drupal module ;)

Comments

OpenID 403 message

Inserting your code snippet in index.php does not stop 403/404 error. Is there an additional change that accompanies your patch?

Drupal version

What Drupal version do you use? This patch is for Drupal 6

Drupal version

I am using version 6.19.

Perhaps it is basepath

hmm, this patch is for Drupal 6.19+ and I use it with HostGator hosting provider.

Does your website runs on subdirectory? i.e. http://www.somehost.com/drupalbasepath/?

Drupal path

I too am using Hostgator, and yes, Drupal base directory is one below the root.

Must enhance the patch

That's the case -- all my sites use subdomains, patch needs to be enhanced to handle websites in a subdirectory.

If you have the opportunity, please enhance the patch on your own. I will have free time slot no sooner than Jan 8-9.

Here it is

here is updated version handling Drupal installations in a subdirectory:

// © by Andriy Gerasika from GerixSoft, Ltd.
if (is_int($return) && $return == MENU_NOT_FOUND) {
	$uri = $_SERVER['REQUEST_URI'];
	$path = parse_url($uri, PHP_URL_PATH);
	if ($path == base_path() . 'openid/authenticate' || ereg('^' . base_path() . 'user/[0-9]+/openid$', $path)!=false) {
		$path = substr($path, strlen(base_path()));
		$query = 'q=' . $path . '&' . parse_url($uri, PHP_URL_QUERY);
		$_SERVER['QUERY_STRING'] = $query;
		parse_str($query, $_REQUEST);
		parse_str($query, $_GET);
		$return = menu_execute_active_handler();
	}
}

Still 403

Hi Andriy,

I am on Drupal 6.20, with Drupal installed in the topmost directory.

I inserted your code (both versions: with and without subdirectory), but cannot get it to run. More frustrating: it shows the exact same behaviour as before. I've been trying to set this up for hours and cannot get any further. Do you have a another hint? Is there any other place to tweak something?

regards
Marco

Do you use some caching

Do you use some caching module? Using Boost module for example requires tweaking

Send me URL of the website in question, is .htaccess file not "heavily" modified?

Hi Andriy , thanks for your

Hi Andriy ,

thanks for your help - I got it working after some hours.

It was confusing. My hoster would not remove any of the mod_security rules. At the support they also tried to reproduce my setup with a fresh installation of drupal which seemed to work for them. So I was on my own again.

While working out the exact error, I tried to disable mod_security for my own IP address and somehow messed up the .htaccess (some weird encodig/Unix line ending mixup) and shutdown the whole site accidentally.

Once I got back on track everything started to work magically and continued even after I removed the mod_security disabling code and changed my IP address.

So I don't know where the error was. Caching (I don't use Boost) might have interfered - as it is often the case with strange errors.

Thanks again for your work.
Marco

Thanks

Andriy! Just wanted to say thanks for providing this fix. It's easy to find with Google and fixes the problem.

It would have taken me quite a while to understand what was going on without your help.

henrik

Post new comment

The content of this field is kept private and will not be shown publicly.