Contrib.social

RuntimeException: Failed to start the session because headers have already been sent

Open on Drupal.org โ†’
Created on 14 February 2025, 5 months ago

Summary

Drupal 10.4.2

When logging into an account with MFA enabled (/login/user/*/authenticate), a PHP log error is generated:

RuntimeException: Failed to start the session because headers have already been sent by "/home/domain/domains/example.com/public_html/vendor/symfony/http-foundation/Response.php" at line 431. in Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->start() (line 132 of /home/domain/domains/example.com/public_html/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php)
#0 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/Session/SessionManager.php(162): Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->start()
#1 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/Session/SessionManager.php(193): Drupal\Core\Session\SessionManager->startNow()
#2 /home/domain/domains/example.com/public_html/vendor/symfony/http-foundation/Session/Session.php(171): Drupal\Core\Session\SessionManager->save()
#3 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/Session.php(56): Symfony\Component\HttpFoundation\Session\Session->save()
#4 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/KernelPreHandle.php(48): Drupal\Core\StackMiddleware\Session->handle()
#5 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/ContentLength.php(28): Drupal\Core\StackMiddleware\KernelPreHandle->handle()
#6 /home/domain/domains/example.com/public_html/core/modules/big_pipe/src/StackMiddleware/ContentLength.php(32): Drupal\Core\StackMiddleware\ContentLength->handle()
#7 /home/domain/domains/example.com/public_html/core/modules/page_cache/src/StackMiddleware/PageCache.php(116): Drupal\big_pipe\StackMiddleware\ContentLength->handle()
#8 /home/domain/domains/example.com/public_html/core/modules/page_cache/src/StackMiddleware/PageCache.php(90): Drupal\page_cache\StackMiddleware\PageCache->pass()
#9 /home/domain/domains/example.com/public_html/modules/contrib/shield/src/ShieldMiddleware.php(263): Drupal\page_cache\StackMiddleware\PageCache->handle()
#10 /home/domain/domains/example.com/public_html/modules/contrib/shield/src/ShieldMiddleware.php(219): Drupal\shield\ShieldMiddleware->bypass()
#11 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php(48): Drupal\shield\ShieldMiddleware->handle()
#12 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/NegotiationMiddleware.php(51): Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle()
#13 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/AjaxPageState.php(36): Drupal\Core\StackMiddleware\NegotiationMiddleware->handle()
#14 /home/domain/domains/example.com/public_html/modules/contrib/remove_http_headers/src/StackMiddleware/RemoveHttpHeadersMiddleware.php(49): Drupal\Core\StackMiddleware\AjaxPageState->handle()
#15 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/StackMiddleware/StackedHttpKernel.php(51): Drupal\remove_http_headers\StackMiddleware\RemoveHttpHeadersMiddleware->handle()
#16 /home/domain/domains/example.com/public_html/core/lib/Drupal/Core/DrupalKernel.php(741): Drupal\Core\StackMiddleware\StackedHttpKernel->handle()
#17 /home/domain/domains/example.com/public_html/index.php(19): Drupal\Core\DrupalKernel->handle()
#18 {main}

You are able to enter your passcode and successfully login.

The error is not generated with the module (or just MFA) disabled (or with Maintenance Mode enabled).

In this particular instance, the login path is rewritten, and shield and the remove_http_headers modules are installed. To isolate the issue, those have all been disabled - which does not resolve the issue; but disabling MFA does.

๐Ÿ› Bug report
Status

Active

Version

5.1

Component

Code

Created by

๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand webindustries

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @webindustries
  • Comment 4 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States bfuzze9898

    I am seeing this issue on Drupal 10.3.11 with miniorange_2fa 5.1.10.
    It goes away if I downgrade to 5.1.6, however I did not test 5.1.7-5.1.9.

  • Comment 2 months ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium jurgenr

    This issue has started since version 5.1.10, and is also triggered in 5.2.*.

    The error is triggered because the method invokeTfaforEndUser() in MoAuthUtilities.php calls $response->send() in the middle of the Drupal business logic. The $response object should be returned, so it could be handled by the calling code.

    There are a lot of $response->send(); in the code, so providing a patch should handle all these cases.

  • Comment about 2 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia sudhanshuD Pune, Maharashtra

    Hi @jurgenr, The 5.2.0 version mainly includes security issue fixes. Due to this, the latest release does not address the other issues. A new release is planned soon to tackle other issues. In the meantime, I can provide you with a patch for this. Currently working on it.

  • Comment 21 days ago โ†’
    kohei_iwamura

    Iโ€™ve also encountered the error described in this issue. Although I'm still able to log in and it doesnโ€™t seem to affect functionality, is there anything I should be concerned about?

    Also, has there been any progress on the fix?

  • Comment 20 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States bfuzze9898

    Any updates on the patch?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024