[thelist] Drupal/Firefox Access issue

Simon MacDonald simonmacdonald at uk2.net
Thu Aug 21 03:05:17 CDT 2008


It's an http:// request - the access denied is coming from Drupal. Drupal is
creating a session for the login. I found a 'fix' on the drupal forum which
involved clearing all private data, (cookies, cache, etc). When I did this
Drupal allowed the login and presented the correct page. This problem seems
to be mainly FF related though other users report it on IE and it goes back
through various versions of Drupal and browsers. There doesn't seem to be
any explanation of the cause of the issue, or a satisfactory resolution.

So I'm a little confused if this is a Drupal or browser problem - I tend to
opt for a Drupal issue as I haven't seen this kind of problem anywhere else.
Which makes me not want to use Drupal, if users are going to hit this

However, thanks for the explanation of the FF https issue - I wasn't aware
of this.


Simon MacDonald

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Jeffrey Joslin
Sent: 20 August 2008 21:23
To: thelist at lists.evolt.org
Subject: Re: [thelist] Drupal/Firefox Access issue

Simon MacDonald wrote:
> I've just put up a test install of Drupal v6.3 (installed using Fantastico
> on my ISP web space). Access is fine using IE and Safari, but with Firefox
> 3,  I login as admin and get access denied.

It just occurred to me that this sounds an awful lot like it may be 
related to the controversial issue of how Firefox 3.0 now handles 
self-signed certificates.

So, are you attempting to log in via a secure (https:// ) link, via your 
own self-signed certificate (instead of a paid, cert-authority chained 

If you have been attempting to connect via a secure (https:// ) 
connection, have you tried connecting directly to the site in the usual 
http://site.com format?

Background: The new Firefox 3 immediately and automatically rejects 
attempts to connect to servers with self-signed certificates and 
immediately dumps the user to a scary looking "access denied" security 
warning screen similar to what you mention.  The other major browsers 
(such as IE and Safari), on the other hand, simply ask the user if 
they'd like to accept the self-signed certificate being offered to 
complete the connection, easy as clicking an "ok" button when prompted.

This has caused a major controversy out there with many calling this 
default rejection by Firefox 3 a browser-based violation of net 
neutrality concepts, forcing hosts to pay for expensive chained 
certificates just to avoid outright rejection and scary security 
messages displayed to users.

It is possible for the user to go back and manually add a security 
exception for each self-signed certificate one encounters in Firefox 3 
once reaching the site has failed and one had arrived at the security 
warning / access failure screen.

But first of all the user has to understand that is an option (and that 
it's their browser that is failing, not the server/host in question...).

 From there it is a user-initiated series of two or three steps to 
manually load the certificate in question and add it in as an exception, 
each step of which provides potential points of intimidation and/or user 

So back to the question above...is this happening to you via https:// 
connections, or via *all* connections attempted, even as just plain 
http://... ?



* * Please support the community that supports you.  * *

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 

More information about the thelist mailing list