Logged out at random

[jmkgreen]

Steps to reproduce

1. Log in
2. Perform some page loads
3. Find yourself presented with a log-in screen

Expected behaviour

Should not randomly log me out - only on session cookie timeout

Actual behaviour

The logout can happen within seconds of the page loading. We've even seen it on logging in - immediately get logged back out again.

Server configuration

Docker container of 4.6.1 on a Linux host sat behind an haproxy-1.6 instance

Client configuration

Browser:
Chrome 50.0.2661.94

Operating system:
Windows 10

The docker container logs show 200 OK responses so there appears to be no error. Several members of staff are reporting phpMyAdmin as repeatedly logging them out as they are working. Occasionally we manage a few minutes of use before being logged out but not often.

We may for instance have just received the results of a query then click on the "Export" link and find ourselves at the log in prompt. Something's quite wrong.

[ibennetch]

How are you handling PHP sessions; are you using sticky sessions?

[jmkgreen]

There is only one single container hosting phpMyAdmin so I'm doubting sticky sessions has any bearing on the matter? I'm presuming you are expecting us to be running more than one instance but we are not.

To detail:

haproxy is terminating our SSL connections and there is one back-end connected via HTTP.

[ibennetch]

Indeed, when you mentioned haproxy I did assume you were using it for load balancing.

[nijel]

Do you get the message about session expiry on the login page?

[jmkgreen]

No. Two other members of our staff agree, no session expiry message seen.

[nijel]

Okay, then probably the session cookie is lost or set wrongly. Maybe this is same issue as #12249 where we set wrong cookie path under some circumstances. Can you please check the cookies set by phpMyAdmin?

[jmkgreen]

Similar. We too have dedicated (sub) domains for PMA access. Checking the cookies within Chrome, they all have a path of / which seems correct. They are expiry periods into the future too or are removed on browser close.

[nijel]

So the cookies seem to be just fine. How do you store your PHP sessions and how is configured session cleanup?

[jmkgreen]

We don't. Here's the Dockerfile we build:

FROM phpmyadmin/phpmyadmin

# Set the timezone
ENV TZ=Europe/London
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

This is run within a docker-compose.yaml:

phpmyadmin:
   image: docker-registry.example.com:5000/example/phpmyadmin:latest
   hostname: foo
   environment:
     - PMA_HOST=mysql-server
     - PHP_UPLOAD_MAX_FILESIZE=128M
     - constraint:serverclass!=database
   depends_on:
     - mysql-server
   networks:
     - bar
   restart: unless-stopped

At this point we have an haproxy configuration:

  acl from_office src 10.0.0.0/24 192.168.0.0/16 nnn.nnn.nnn.nnn/32
  acl phpmyadmin             hdr_sub(host) -i phpmyadmin.example.com
 use_backend bk_phpmyadmin_80               if phpmyadmin             from_office
 backend bk_phpmyadmin_80
 server phpmyadmin phpmyadmin:80

So in short we're running pretty much what is shipped to us.

[nijel]

Okay, I will look how the PHP builtin server handles sessions, but I assume this will be the problem as they will be stored in memory only and don't survive process restart (I'm just guessing).

[jmkgreen]

I think PHP stores sessions in files by default? I think in Ubuntu they are in something along the lines of /var/lib/php/... and there's a cron script that deletes those older than n hours (which was notoriously buggy).

I doubt the Docker container does the clean-up at all?

[nijel]

Given that we do not set any session.save_path, it's stored in /tmp. As it's not persistent storage, the sessions will disappear at least on container restart.

[nijel]

Did the previous comment help you? Can your log outs be caused by container restart?

[jmkgreen]

No, sadly not.

I've not personally had need to use the container much since reporting the issue. I will try and find out today whether anyone else has.

[jmkgreen]

Did not have to wait long - have a member of staff complaining that it's really bad this morning. He says he is simply returned to the login screen (there is definitely no mention of having been logged out).

None of our phpmyadmin containers have restarted in several hours so it's clearly not that. The logs show some HTTP 302s but otherwise 200 OKs.

[nijel]

What might be also related is session startup errors (see #12229), but you would see the error before login screen...

[nijel]

Can you try updating to latest image? I've made changes in way how sessions are stored and they are now stored in separate volume, what should limit such problems...

Also as this issue got reported in the Docker image issue tracker, let's followup only there and I'll close this: phpmyadmin/docker#32

[nijel]

Based on discussion in phpmyadmin/docker#32, this really turns down to be bug in the code rather than Docker container. The problem is that some javascript files can send different cookie path than main scripts leading to two session cookies which can interfere.