[phpMyAdmin Developers] [User Quesion/Possible issue or bug] Cookie Authentication doesn't work in chrooted PHP-FPM setup with restricted PHP settings

Lukas Laukamp phpmyadmin at mailinglists.me
Sat Jan 7 21:22:45 CET 2017


Hello Michal,

Am 2017-01-06 17:10, schrieb Michal Čihař:
> Hello
> 
> First of all this is really not the place to ask for support, see <http
> s://www.phpmyadmin.net/support/>.
> 
> Lukas L. píše v Út 03. 01. 2017 v 15:39 +0100:
>> I have a problem with the Cookie authentication. I will try to
>> explain my setup and the appearing problem as good as possible. It's
>> a bit complicated due to the fact, that there is no error message in
>> the interface and in the logs.
>> 
>> Setup
>> 
>> The system is an Ubuntu 16.04 LTS (Xenial) with PHP-FPM, Nginx and
>> MySQL installed from the package repositories.
>> 
>> I use PHP-FPM pools, where every pool, has an own chroot.
>> 
>> Nginx connects to PHP-FPM with Unix-Sockets.
>> 
>> I am using phpMyAdmin version 4.6.5.2.
>> 
>> Problem
>> 
>> phpMyAdmin is installed and accessible on a subdomain. All traffic is
>> exchanged via HTTPS.
>> 
>> Actually phpMyAdmin connects to MySQL via TCP connection. The problem
>> is, that the Cookie authentication doesn't work. So if I set
>> $cfg[auth_type] = "cookie"; I can't login to phpMyAdmin. The
>> interface and the logs doesn't show any errors. When I change the
>> mentioned variable to "http" so that HTTP Auth is used, the login
>> works without problems.
>> 
>> Configuration
>> 
>> I use a few special PHP settings for security reasons. They are
>> mostly the same as in the OWASP PHP Configuration Cheat Sheet. This
>> document can be found here:
>> https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
> 
> Are you accessing phpMyAdmin over https? If not than setting
>  session.cookie_secure   = On from that list will break it as the
> browser won't send back the cookies.
> 
> _______________________________________________
> Developers mailing list
> Developers at phpmyadmin.net
> https://lists.phpmyadmin.net/mailman/listinfo/developers

I know that this mailinglist isn't really the right place to ask for 
help. But I think the problem is that deeply related to the phpMyAdmin 
Source, that it can't be solved very easy.

I'm accessing phpMyAdmin via HTTPS. I tested the mentioned setting in On 
and Off state. In both situations it doesn't work.

As I told, i'm getting no errors. So I have no indications where to 
search the problem. I think this would just be possible when I would 
know the phpMyAdmin Source in detail.

Best Regards





More information about the Developers mailing list