[User Quesion/Possible issue or bug] Cookie Authentication doesn't work in chrooted PHP-FPM setup with restricted PHP settings
Hello all,
I have a problem with the Cookie authentication. I will try to explain my setup and the appearing problem as good as possible. It's a bit complicated due to the fact, that there is no error message in the interface and in the logs.
SETUP
The system is an Ubuntu 16.04 LTS (Xenial) with PHP-FPM, Nginx and MySQL installed from the package repositories.
I use PHP-FPM pools, where every pool, has an own chroot.
Nginx connects to PHP-FPM with Unix-Sockets.
I am using phpMyAdmin version 4.6.5.2.
PROBLEM
phpMyAdmin is installed and accessible on a subdomain. All traffic is exchanged via HTTPS.
Actually phpMyAdmin connects to MySQL via TCP connection. The problem is, that the Cookie authentication doesn't work. So if I set $cfg[auth_type] = "cookie"; I can't login to phpMyAdmin. The interface and the logs doesn't show any errors. When I change the mentioned variable to "http" so that HTTP Auth is used, the login works without problems.
CONFIGURATION
I use a few special PHP settings for security reasons. They are mostly the same as in the OWASP PHP Configuration Cheat Sheet. This document can be found here: https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
As I said no error is shown, and no error goes into the PHP log of the pool. I think all is related to the cookie or session handling, but I don't know how I could debug this.
CHECKED THINGS
I already checked the following:
1. The mcrypt extension is installed
2. Session data can be stored correctly
3. Disable the cookie and session related settings
CONCLUSION
I have checked some things but couldn't figure it out. So I would be happy about every type of help. If more information is needed please tell me what exactly is necessary.
P.S. Sorry for my bad english.
Hello
First of all this is really not the place to ask for support, see <http s://www.phpmyadmin.net/support/>.
Lukas L. píše v Út 03. 01. 2017 v 15:39 +0100:
I have a problem with the Cookie authentication. I will try to explain my setup and the appearing problem as good as possible. It's a bit complicated due to the fact, that there is no error message in the interface and in the logs.
Setup
The system is an Ubuntu 16.04 LTS (Xenial) with PHP-FPM, Nginx and MySQL installed from the package repositories.
I use PHP-FPM pools, where every pool, has an own chroot.
Nginx connects to PHP-FPM with Unix-Sockets.
I am using phpMyAdmin version 4.6.5.2.
Problem
phpMyAdmin is installed and accessible on a subdomain. All traffic is exchanged via HTTPS.
Actually phpMyAdmin connects to MySQL via TCP connection. The problem is, that the Cookie authentication doesn't work. So if I set $cfg[auth_type] = "cookie"; I can't login to phpMyAdmin. The interface and the logs doesn't show any errors. When I change the mentioned variable to "http" so that HTTP Auth is used, the login works without problems.
Configuration
I use a few special PHP settings for security reasons. They are mostly the same as in the OWASP PHP Configuration Cheat Sheet. This document can be found here: https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
Are you accessing phpMyAdmin over https? If not than setting session.cookie_secure = On from that list will break it as the browser won't send back the cookies.
Hello Michal,
Am 2017-01-06 17:10, schrieb Michal Čihař:
Hello
First of all this is really not the place to ask for support, see <http s://www.phpmyadmin.net/support/>.
Lukas L. píše v Út 03. 01. 2017 v 15:39 +0100:
I have a problem with the Cookie authentication. I will try to explain my setup and the appearing problem as good as possible. It's a bit complicated due to the fact, that there is no error message in the interface and in the logs.
Setup
The system is an Ubuntu 16.04 LTS (Xenial) with PHP-FPM, Nginx and MySQL installed from the package repositories.
I use PHP-FPM pools, where every pool, has an own chroot.
Nginx connects to PHP-FPM with Unix-Sockets.
I am using phpMyAdmin version 4.6.5.2.
Problem
phpMyAdmin is installed and accessible on a subdomain. All traffic is exchanged via HTTPS.
Actually phpMyAdmin connects to MySQL via TCP connection. The problem is, that the Cookie authentication doesn't work. So if I set $cfg[auth_type] = "cookie"; I can't login to phpMyAdmin. The interface and the logs doesn't show any errors. When I change the mentioned variable to "http" so that HTTP Auth is used, the login works without problems.
Configuration
I use a few special PHP settings for security reasons. They are mostly the same as in the OWASP PHP Configuration Cheat Sheet. This document can be found here: https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
Are you accessing phpMyAdmin over https? If not than setting session.cookie_secure = On from that list will break it as the browser won't send back the cookies.
Developers mailing list Developers@phpmyadmin.net https://lists.phpmyadmin.net/mailman/listinfo/developers
I know that this mailinglist isn't really the right place to ask for help. But I think the problem is that deeply related to the phpMyAdmin Source, that it can't be solved very easy.
I'm accessing phpMyAdmin via HTTPS. I tested the mentioned setting in On and Off state. In both situations it doesn't work.
As I told, i'm getting no errors. So I have no indications where to search the problem. I think this would just be possible when I would know the phpMyAdmin Source in detail.
Best Regards
-
Lukas L. -
Lukas Laukamp
-
Michal Čihař