You are hereAAARRRGGHHHH!!!: Drupal SSL Form Timeouts

AAARRRGGHHHH!!!: Drupal SSL Form Timeouts


By steve - Posted on 09 August 2006

Why won't drupal SSL form sessions (running under Apache2 and PHP5) work, if the user takes more than 15 seconds to fill out a form????? Well, the answer only took me 4 full workdays to figure the answer out.

First, I couldn't get SSL forms to get processed at all. I figured out it was an apache directive that was overriding correct behavior for MS IE browsers. That at least got the form processed, but testing showed a new issue. If a user went to a form protected by SSL, they had only 15 seconds to fill it out before any input would be ignored and an empty (or at least previous values) form would be displayed. The results page (what shows when a user successfully updates a page) wouldn't show.

After much testing, I still couldn't tell if the problem was with drupal 4.7, the webform module, SSL, php, or apache2.

It took me forever to figure it that it was consistently 15 seconds (until I got out my watch, it seemed to be pretty random working sometimes and then not others).

Here's what I figured out (it was the default configuration of apache2 combined with the way php and drupal handle ssl):

  • Ubuntu 6.06 Apache 2 comes pre-configured with configuration set to "dumb down" connectivity with old MS IE browsers. This prevented any SSL form processing from working with IE 6. I remarked out all of the old references and replaced them with less restrictive directives:

    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

    was #'d out and replaced with:

    SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown

    I made this change in all configuration files as needed (for a list: grep -R MSIE /etc/apache2/*), but specifically it needed to be in my /etc/apache2/sites-available/ssl configuration file.

    This allowed the form to be submitted, but it had to be within 15 seconds.

  • Next, I changed apache2.conf so that KeepAliveTimeout was longer than 15 seconds:

    KeepAliveTimeout 150

  • Restart apache2: /etc/init.d/apache2 restart
  • This appeared to fix it, but I could not get IE to correctly submit a page if the user waited more than 60 seconds to fill out the form. It seemed to be an issue with Firefox, as well. Back to the drawing board...
  • So after days of messing about with this, it seems I needed to add a directive to the virtualhost ssl configuration file in apache2. I had a line like this:

    SSLOptions +StrictRequire

    I appended this: +OptRenegotiate

    So now it looks like this:

    SSLOptions +StrictRequire +OptRenegotiate

    Now the user can take as long as they like to fill out the form and it really works.

Tags

My SSL loaded pages are Form Posts in Drupal are sent in the clear. Wondering if the Mojo had any advice before I rewrite some core drupal.

Are you using the "secure pages" module? That normally handles everything for you. You can secure everything or only selected named pages (and also use wildcards).

Are you having problems with only one particular module of drupal or is it everywhere?

sj

Did this help you? You can help me!


Did you find this information helpful? You can help me back by linking to this page, purchasing from my sponsors, or posting a comment!


+One me on Google:


Follow me on twitter: http://twitter.com/mojocode









Affiliation Badges