[Phpmyadmin-devel] how to allow access to page without token

Mohamed Ashraf mohamed.ashraf.213 at gmail.com
Thu Oct 3 15:34:16 CEST 2013


On Thu, Oct 3, 2013 at 3:25 PM, Michal Čihař <michal at cihar.com> wrote:

> Hi
>
> Dne Thu, 3 Oct 2013 14:49:35 +0200
> Mohamed Ashraf <mohamed.ashraf.213 at gmail.com> napsal(a):
>
> > I want to allow access to the scripts page without a token and at the
> same
> > time I want to check the current config settings.
>
> Maybe it's better to describe what you want to actually achieve.
>
I want to know if the user has enabled error reporting or not.

>
> > The current method I use
> > to check config settings is by including common.inc.php to the script but
> > the problem is that common.inc.php removes all GET params if the token is
> > incorrect.
>
> That's exactly purpose of token. In case you're doing the request from
> phpMyAdmin the token is available in session, so including it should
> not be hard...
>
yes normally it is but during logout the token is reset multiple times and
is changed after the page is loaded somewhere so when the
get_scripts.js.php is being fetched an old and invalid token is used thus
the page is not displayed.

here is what happens:
1 - the logout page is requested,
2 - token is reset since the user is not logged in
3 - then the html is created to load the get_scripts file using this new
token which is correct
4 - some time after this the token is reset again. I dont know where this
happens. I output the token in the end of the response class response
method and it is still the same.
5 - the request to the get_script file is made using the old token which is
rejected

>
> --
>         Michal Čihař | http://cihar.com | http://blog.cihar.com
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>
>


-- 
Mohamed Ashraf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20131003/7e8465de/attachment.html>


More information about the Developers mailing list