Contrib.social

RuntimeException: Failed to start the session because headers have already been sent

Open on Drupal.org →
Created on 14 February 2025, 4 months ago

Summary

Drupal 10.4.2

When logging into an account with MFA enabled (/login/user/*/authenticate), a PHP log error is generated:

RuntimeException: Failed to start the session because headers have already been sent by "/home/domain/domains/example.com/public_html/vendor/symfony/http-foundation/Response.php" at line 431. in Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->start() (line 132 of /home/domain/domains/example.com/public_html/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php)
#0 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/Session/SessionManager.php(162): Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->start()
#1 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/Session/SessionManager.php(193): Drupal\Core\Session\SessionManager->startNow()
#2 /home/domain/domains/example.com/public_html/vendor/symfony/http-foundation/Session/Session.php(171): Drupal\Core\Session\SessionManager->save()
#3 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/Session.php(56): Symfony\Component\HttpFoundation\Session\Session->save()
#4 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/KernelPreHandle.php(48): Drupal\Core\StackMiddleware\Session->handle()
#5 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/ContentLength.php(28): Drupal\Core\StackMiddleware\KernelPreHandle->handle()
#6 /home/domain/domains/example.com/public_html/core/modules/big_pipe/src/StackMiddleware/ContentLength.php(32): Drupal\Core\StackMiddleware\ContentLength->handle()
#7 /home/domain/domains/example.com/public_html/core/modules/page_cache/src/StackMiddleware/PageCache.php(116): Drupal\big_pipe\StackMiddleware\ContentLength->handle()
#8 /home/domain/domains/example.com/public_html/core/modules/page_cache/src/StackMiddleware/PageCache.php(90): Drupal\page_cache\StackMiddleware\PageCache->pass()
#9 /home/domain/domains/example.com/public_html/modules/contrib/shield/src/ShieldMiddleware.php(263): Drupal\page_cache\StackMiddleware\PageCache->handle()
#10 /home/domain/domains/example.com/public_html/modules/contrib/shield/src/ShieldMiddleware.php(219): Drupal\shield\ShieldMiddleware->bypass()
#11 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php(48): Drupal\shield\ShieldMiddleware->handle()
#12 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/NegotiationMiddleware.php(51): Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle()
#13 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/AjaxPageState.php(36): Drupal\Core\StackMiddleware\NegotiationMiddleware->handle()
#14 /home/domain/domains/example.com/public_html/modules/contrib/remove_http_headers/src/StackMiddleware/RemoveHttpHeadersMiddleware.php(49): Drupal\Core\StackMiddleware\AjaxPageState->handle()
#15 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/StackedHttpKernel.php(51): Drupal\remove_http_headers\StackMiddleware\RemoveHttpHeadersMiddleware->handle()
#16 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/DrupalKernel.php(741): Drupal\Core\StackMiddleware\StackedHttpKernel->handle()
#17 /home/domain/domains/example.com/public_html/index.php(19): Drupal\Core\DrupalKernel->handle()
#18 {main}

You are able to enter your passcode and successfully login.

The error is not generated with the module (or just MFA) disabled (or with Maintenance Mode enabled).

In this particular instance, the login path is rewritten, and shield and the remove_http_headers modules are installed. To isolate the issue, those have all been disabled - which does not resolve the issue; but disabling MFA does.

🐛 Bug report
Status

Active

Version

5.1

Component

Code

Created by

🇳🇿New Zealand webindustries

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @webindustries
  • Comment 3 months ago
    🇺🇸United States bfuzze9898

    I am seeing this issue on Drupal 10.3.11 with miniorange_2fa 5.1.10.
    It goes away if I downgrade to 5.1.6, however I did not test 5.1.7-5.1.9.

  • Comment 26 days ago
    🇧🇪Belgium jurgenr

    This issue has started since version 5.1.10, and is also triggered in 5.2.*.

    The error is triggered because the method invokeTfaforEndUser() in MoAuthUtilities.php calls $response->send() in the middle of the Drupal business logic. The $response object should be returned, so it could be handled by the calling code.

    There are a lot of $response->send(); in the code, so providing a patch should handle all these cases.

  • Comment 17 days ago
    🇮🇳India sudhanshuD Pune, Maharashtra

    Hi @jurgenr, The 5.2.0 version mainly includes security issue fixes. Due to this, the latest release does not address the other issues. A new release is planned soon to tackle other issues. In the meantime, I can provide you with a patch for this. Currently working on it.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024