[phpMyAdmin Developers] [User Quesion/Possible issue or bug] Cookie Authentication doesn't work in chrooted PHP-FPM setup with restricted PHP settings

Lukas L. phpmyadmin at mailinglists.me
Tue Jan 3 15:39:56 CET 2017 

Hello all, 

I have a problem with the Cookie authentication. I will try to explain
my setup and the appearing problem as good as possible. It's a bit
complicated due to the fact, that there is no error message in the
interface and in the logs. 

SETUP 

The system is an Ubuntu 16.04 LTS (Xenial) with PHP-FPM, Nginx and MySQL
installed from the package repositories. 

I use PHP-FPM pools, where every pool, has an own chroot. 

Nginx connects to PHP-FPM with Unix-Sockets. 

I am using phpMyAdmin version 4.6.5.2. 

PROBLEM 

phpMyAdmin is installed and accessible on a subdomain. All traffic is
exchanged via HTTPS. 

Actually phpMyAdmin connects to MySQL via TCP connection. The problem
is, that the Cookie authentication doesn't work. So if I set
$cfg[auth_type] = "cookie"; I can't login to phpMyAdmin. The interface
and the logs doesn't show any errors. When I change the mentioned
variable to "http" so that HTTP Auth is used, the login works without
problems. 

CONFIGURATION 

I use a few special PHP settings for security reasons. They are mostly
the same as in the OWASP PHP Configuration Cheat Sheet. This document
can be found here:
https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet 

As I said no error is shown, and no error goes into the PHP log of the
pool. I think all is related to the cookie or session handling, but I
don't know how I could debug this. 

CHECKED THINGS 

I already checked the following: 

1. The mcrypt extension is installed 

2. Session data can be stored correctly 

3. Disable the cookie and session related settings 

CONCLUSION 

I have checked some things but couldn't figure it out. So I would be
happy about every type of help. If more information is needed please
tell me what exactly is necessary. 

P.S. Sorry for my bad english.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.phpmyadmin.net/pipermail/developers/attachments/20170103/c1790914/attachment.html>

More information about the Developers mailing list