It is very often when you enable OpenID module in Drupal and try to login with OpenID, you receive "Page not found", whilst everything works quite fine at localhost.
The problem occurs after you have authenticated at OpenID provider website and it is redirecting you back to your website with URL in format: http://www.gerixsoft.com/openid/authenticate?destination=user&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&...
The problem is that params of this redirect URL contain another URLs. Such kind of URLs are considered dangerous and are very often blocked by hosters by means of Apache mod_security module; it is mod_security that actually generates 403/404/Page not found.
One solution is to follow guidelines found on the net and ask your hosting provider to disable 1234234, 340151, 340153, 340163 mod_security rules. However after some time modifications may be reset and you will face the problem again. Another option is to disable mod_security but this is not secure and may expose your site to even bigger problems.
The solution I have come to is to selectively reverse the effect of mod_security in PHP code. The patch I have developed undoes 403/404 generated by mod_security for OpenID URLs only, rest of URLs are not touched. So both OpenID works and website is protected.
Just open index.php and put below code at line 20, just below "$return = menu_execute_active_handler();" code:
// © by Andriy Gerasika from GerixSoft, Ltd.
if (is_int($return) && $return == MENU_NOT_FOUND) {
$uri = $_SERVER['REQUEST_URI'];
$path = parse_url($uri, PHP_URL_PATH);
if ($path == '/openid/authenticate' || ereg('^/user/[0-9]+/openid$', $path)!=false) {
$path = substr($path, 1);
$query = 'q=' . $path . '&' . parse_url($uri, PHP_URL_QUERY);
$_SERVER['QUERY_STRING'] = $query;
parse_str($query, $_REQUEST);
parse_str($query, $_GET);
$return = menu_execute_active_handler();
}
}
P.S.
Now, once OpenID works in Drupal ok, you may give a try to my OpenID Selector Drupal module ;)
Comments
Post new comment