New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

$_COOKIE variable has been set to empty when 'pmaCookieVer' empty #13480

Closed
marginchan opened this Issue Jul 12, 2017 · 8 comments

Comments

Projects
None yet
4 participants
@marginchan

marginchan commented Jul 12, 2017

Steps to reproduce

1、FILE and LINE
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/common.inc.php
line: 253

2、hole $_COOKIE variable was set to empty, very coarse behaviour!
when develop by twice, I need $_COOKIE, I have some variables in it!

can be this:

if (isset($_COOKIE)) {
    if (! isset($_COOKIE['pmaCookieVer'])
        || $_COOKIE['pmaCookieVer'] != $pma_cookie_version
    ) {
        // delete all cookies
        foreach ($_COOKIE as $cookie_name => $tmp) {
            // We ignore cookies not with pma prefix
            if (strncmp('pma', $cookie_name, 3) != 0) {
                continue;
            }
            unset($_COOKIE[$cookie_name]);
            $GLOBALS['PMA_Config']->removeCookie($cookie_name);
        }
        $GLOBALS['PMA_Config']->setCookie('pmaCookieVer', $pma_cookie_version);
    }
}

@nijel nijel self-assigned this Jul 12, 2017

@nijel

This comment has been minimized.

Show comment
Hide comment
@nijel

nijel Jul 12, 2017

Member

Can you please clarify why you think this is a problem? This code is used when cookies from older phpMyAdmin version are detected and in such case our code should not use them as they are incompatible.

Member

nijel commented Jul 12, 2017

Can you please clarify why you think this is a problem? This code is used when cookies from older phpMyAdmin version are detected and in such case our code should not use them as they are incompatible.

@nijel nijel added the question label Jul 12, 2017

@marginchan

This comment has been minimized.

Show comment
Hide comment
@marginchan

marginchan Jul 12, 2017

I developed third code and inject into phpMyAdmin
my code will setcookie for some perpose, but the code above will delete my cookie that I set.

so I hope phpMyAdmin just delete $_COOKIE['pma****'].

Just a suggest

marginchan commented Jul 12, 2017

I developed third code and inject into phpMyAdmin
my code will setcookie for some perpose, but the code above will delete my cookie that I set.

so I hope phpMyAdmin just delete $_COOKIE['pma****'].

Just a suggest

@nijel

This comment has been minimized.

Show comment
Hide comment
@nijel

nijel Jul 12, 2017

Member

This code will delete it only in case there are cookies from older phpMyAdmin version. So this can happen at most once after upgrade...

Member

nijel commented Jul 12, 2017

This code will delete it only in case there are cookies from older phpMyAdmin version. So this can happen at most once after upgrade...

@marginchan marginchan closed this Jul 12, 2017

@charlesmulder

This comment has been minimized.

Show comment
Hide comment
@charlesmulder

charlesmulder Nov 21, 2017

@nijel

We are making use of Signon Authentication. Since upgrading to phpMyAdmin 4.7.5 we have been experiencing an issue where phpMyAdmin considers authenticated users to be not authenticated on the first signon authentication redirect. Subsequent redirects work fine.

I have been looking at the code and the problem seems to be that all cookies are cleared in common.inc.php, whilst later in the process AuthenticationSignon.php checks to see that the SignonSession cookie is set, which of course it isn't, cause the cookies have been cleared.

My current workaround is to set a pmaCookieVer cookie to 5 in signon.php before the redirect.

setcookie('pmaCookieVer', 5, 0, '/examples/phpmyadmin/', '', false, true);

Feels like a bit of a hack. Thoughts?

Thanks,
C

charlesmulder commented Nov 21, 2017

@nijel

We are making use of Signon Authentication. Since upgrading to phpMyAdmin 4.7.5 we have been experiencing an issue where phpMyAdmin considers authenticated users to be not authenticated on the first signon authentication redirect. Subsequent redirects work fine.

I have been looking at the code and the problem seems to be that all cookies are cleared in common.inc.php, whilst later in the process AuthenticationSignon.php checks to see that the SignonSession cookie is set, which of course it isn't, cause the cookies have been cleared.

My current workaround is to set a pmaCookieVer cookie to 5 in signon.php before the redirect.

setcookie('pmaCookieVer', 5, 0, '/examples/phpmyadmin/', '', false, true);

Feels like a bit of a hack. Thoughts?

Thanks,
C

@nils-van-zuijlen

This comment has been minimized.

Show comment
Hide comment
@nils-van-zuijlen

nils-van-zuijlen Nov 21, 2017

Contributor

@charlesmulder Seems like you notified the bad person 😁

Contributor

nils-van-zuijlen commented Nov 21, 2017

@charlesmulder Seems like you notified the bad person 😁

@charlesmulder

This comment has been minimized.

Show comment
Hide comment
@charlesmulder

charlesmulder Nov 21, 2017

Apologies. Thanks for letting me know. Rectified.

Apologies. Thanks for letting me know. Rectified.

@nijel nijel reopened this Nov 23, 2017

@charlesmulder

This comment has been minimized.

Show comment
Hide comment
@charlesmulder

charlesmulder Nov 24, 2017

@nijel

Could I take a stab at fixing it?

@nijel

Could I take a stab at fixing it?

@nijel

This comment has been minimized.

Show comment
Hide comment
@nijel

nijel Nov 27, 2017

Member

@charlesmulder Feel free to look at this.

Member

nijel commented Nov 27, 2017

@charlesmulder Feel free to look at this.

@nijel nijel added enhancement and removed question labels Nov 28, 2017

@nijel nijel added this to the 4.8.0 milestone Nov 28, 2017

@nijel nijel closed this in d76606a Nov 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment