Access denied at password reset page when logging in

Question

I run a D7 site that for some reason is not allowing users to reset their passwords, but only on the server. The email with the one-time login link is sent just fine, but when the user clicks on the link, they get a 403 page with the generic "You are not authorized to access this page" message. I know this must be server environment specific, because with a clone of the site on my local machine (sending the email using the SMTP module), it works just fine. I'm guessing the issue happens in user_edit_access(), where it is comparing the value of $account->uid with $GLOBALS['user']->uid, but that's just a guess at this point.

Any suggestions as to what the problem could be? The servers are using Varnish, so that's one thought that came to mind, but I'm not sure how to figure that out.

Thanks.

Answer 1

Comment out the /* $cookie_domain = $_SERVER['HTTP_HOST']; */ from settings.php from the path \sites\defaults will work for you.

or else use the below code in settings.php:

<?php
/**
 * Drupal automatically generates a unique session cookie name for each site
 * based on its full domain name. If you have multiple domains pointing at the
 * same Drupal site, you can either redirect them all to a single domain (see
 * comment in .htaccess), or uncomment the line below and specify their shared
 * base domain. Doing so assures that users remain logged in as they cross
 * between your various domains. Make sure to always start the $cookie_domain
 * with a leading dot, as per RFC 2109.
 */
$cookie_domain = '.your_domain.com';
$conf['https'] = TRUE;
?>

On sites with anonymous users, it is handy not to set this so that you login as admin on one tab and anonymous on another by not using "www" on one of them.

source