Failed to set session cookie. Maybe you are using HTTP instead of HTTPS

[nik6018]

Steps to reproduce

1. Install PMA 4.8.0
2. Login via HTTP

Expected behaviour

After entering the login information, I should be able to log in

Actual behaviour

It doen't log me in and fails with this error : Failed to set session cookie. Maybe you are using HTTP instead of HTTPS
In previous version of PMA 4.7.9 I didn't face this issue I was able to log in via HTTP and HTTPS without any issue.
Now I am only able to login via HTTPS.

How can I disable this as I cannot find anything in the docs, the closest thing I was able to find is this Link

I am really confused about this.

I checked the file common.inc.php where this error is mentioned, but still wasn't able to figure out the issue.

Web Server configuration

  server{

	listen	   2002;
	listen	   2004;
	server_name  localhost;
	
	# The Document Root
	root	/custom/path;
	
	rewrite "/sess([0-9a-zA-Z]{16})/(.*)" /$2;
	
	# Redirect server error pages to the static pages
	error_page  404					/nginx/404.html;
	error_page  497					/nginx/497.html;
	error_page  500 502 503 504		/nginx/50x.html;		
	location ~ (index.php|/)$ {
	
		fastcgi_pass	unix:/usr/local/php/var/fpm9178.sock;
		if ($uri ~ "^/phpmyadmin/") {
			fastcgi_pass	unix:/usr/local/php/var/fpm9179.sock;
		}
		fastcgi_read_timeout 3600;
		fastcgi_index	index.php;
		fastcgi_param	SCRIPT_FILENAME  $document_root$fastcgi_script_name;
		fastcgi_param	SCRIPT_NAME	  $fastcgi_script_name;
		include			fastcgi_params;
	}

	location ~ \.php$ {
		fastcgi_pass	unix:/usr/local/php/var/fpm9178.sock;
		if ($uri ~ "^/phpmyadmin/") {
			fastcgi_pass	unix:/usr/local/php/var/fpm9179.sock;
		}

		fastcgi_read_timeout 3600;
		fastcgi_index	index.php;
		fastcgi_param	SCRIPT_FILENAME	$document_root$fastcgi_script_name;
		fastcgi_param	SCRIPT_NAME		$fastcgi_script_name;
		include			fastcgi_params;
	}
	
	client_max_body_size 50M;
}

Server configuration

Operating system:
CentOS and Ubuntu

Web server:
Nginx 1.12.2

Database:
MySQL 5.5.59

PHP version:
PHP 5.6.35

phpMyAdmin version:
4.8.0

Client configuration

Browser:
Chrome, FireFox

Operating system:
Windows

[ibennetch]

When you see the error, can you try logging in again? This workaround seems to function for me until we get this fixed.

[nik6018]

@ibennetch yes I tried this multiple times it doesn't work for me.

[ibennetch]

See also https://stackoverflow.com/q/49811804/2385479 for another person with this problem.

[nik6018]

Thanks for the link. But I have rechecked all the configuration files and modules they seem to be ok.
Reinstalled 4.7.9 and everything works as it should.
Will this be fixed in 4.8.1?

[nik6018]

@ibennetch In 4.8.0.1 I am only facing this issue in Chrome. FireFox and Edge work fine.
It seems that during the initial request after entering the login details there is a 302 redirect which authenticates me in FireFox and Edge.
That redirect is not happening in Chrome
Can you give me a hint on how can I check and debug this?

[D-AIRY]

Same error in Firefox 59. In my case issue caused by javascript error which makes tracekit library to query server and rewrite cookies.
As a quick workaround: edit file ./js/vendor/tracekit.js - add return in start of function traceKitWindowOnError

[voltel]

I have the same issue. Run http://phpmyadmin/index.php, provide MySQL valid credentials (not root, but with all privileges; and I tried root as well), have the same error message ("Failed to set session cookie. Maybe you are using HTTP instead of HTTPS to access phpMyAdmin."). So, I checked both FireFox 59.0.2 (64-bit) and Chrome 66.0.3359.117 - the error is reproduced in either browser.

As for suggested workaround (return in the beginning of the traceKitWindowOnError function in ./js/vendor/tracekit.js) - it didn't work for me.

Moreover, I tried manually create a config.inc.php and select other modes of authentication type (e.g. $cfg['Servers'][$i]['auth_type'] = 'config'; or
$cfg['Servers'][$i]['auth_type'] = 'http';);

'http': doesn't work (looks like wrong credentials);

'config': php error:

Fatal error: Uncaught Error: Call to a member function exists() on null in D:\WebSites\phpmyadmin\libraries\classes\DatabaseInterface.php:1544 Stack trace: #0 D:\WebSites\phpmyadmin\libraries\classes\DatabaseInterface.php(2477): PhpMyAdmin\DatabaseInterface->postConnectControl() #1 D:\WebSites\phpmyadmin\libraries\common.inc.php(358): PhpMyAdmin\DatabaseInterface->connect(257) #2 D:\WebSites\phpmyadmin\index.php(26): require_once('D:\\WebSites\\php...') #3 {main} thrown in D:\WebSites\phpmyadmin\libraries\classes\DatabaseInterface.php on line 1544

So, this is dead-end for me. Waiting for new release.

PS. It may be obvious (not for me), but when I tried to configure the server in the setup, (renamed my config.inc.php to _config.inc.php just to hide it, and tried http://phpmyadmin/setup/), there was an indication in the GUI that "There are no configured servers". When I try to configure one by clicking the button "New server", it doesn't modify anything (when I click the button to show the resulting configuration).

[fraban]

Hi - I discovered exactly the same error when switching to 4.8.0.1 from 4.7.9 .
Server is ubuntu 14.04 LTS with nginx/1.10.1 and 5.5.59-MariaDB-1ubuntu0.14.04.1
Testing with phpMyadmin 4.8.0.1 exactly the errors reported here. Going back to 4.7.9 everything is working again. I can reproduce with Firefox and Safari - Chrome not tested

[williamdes]

Thanks to @ntinti #14219 (comment) this is the reason for this error (Call to a member function exists() on null):

Reproduce

-- Random IP
UPDATE mysql.db SET host='127.1.2.1' WHERE Db='phpmyadmin';
FLUSH PRIVILEGES;
-- Now phpmyadmin fails on login : HTTP ERROR 500

-- Assuming host was % before
UPDATE mysql.db SET host='%' WHERE Db='phpmyadmin';
FLUSH PRIVILEGES;
-- Now phpmyadmin succeeds on login

Stacktrace

2018/05/01 17:25:33 [error] 4492#4492: *729 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught Error: Call to a member function exists() on null in /mnt/Dev/phpmyadmintest/libraries/classes/DatabaseInterface.php:1588
Stack trace:
#0 /mnt/Dev/phpmyadmintest/libraries/classes/DatabaseInterface.php(2544): PhpMyAdmin\DatabaseInterface->postConnectControl()
#1 /mnt/Dev/phpmyadmintest/libraries/common.inc.php(352): PhpMyAdmin\DatabaseInterface->connect(257)
#2 /mnt/Dev/phpmyadmintest/index.php(26): require_once('/mnt/Dev/phpmya...')
#3 {main}
  thrown in /mnt/Dev/phpmyadmintest/libraries/classes/DatabaseInterface.php on line 1588" while reading response header from upstream, client: 127.0.0.1, server: localhost.localdomain, request: "POST /phpmyadmintest/index.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "localhost.localdomain"

[AlviseNicoletti]

This solution is not working for me, however, I want to clarify my situation:

I have phpmyadmin 4.7.9 perfectly working,
when I upgrade to 4.8.0.1 (removing and then copying new files except config.php) I get this error.

[nik6018]

As stated in #14234 Login via HTTP works if in private mode, but doesn't work in normal session.
I tried to clear the cookie for the domain but still the same issue.

[COLABORATI]

Things like login are not tested with this software before a release? Interesting to know!

[nik6018]

@ibennetch Can you please update us with any planned fix for this?

[ibennetch]

@nik6018 Sure, I can make a comment about this.

I hope this is fixed for the next release. In fact, I've held back releasing 4.8.1 because of this bug and #14220. I haven't, personally, had time to look in to either of these issues and I can't speak for anyone else on the development team, but it seems everyone else is quite distracted as well. Since this is a severe problem, I have set the target milestone to 4.8.1, which doesn't assure us that it will be fixed for the release of 4.8.1, but it indicates our desire to have this fixed before the next release. We regret that this bug affects you and wish it weren't in a release version.

[ibennetch]

To address the concern raised by @COLABORATI, yes of course we test the code before release, in fact I use the development version nearly every day and have found many bugs before they were released. I know many of the other developers also use the development version often. In addition, we have a series of automated tests that run before a release is created and after each new code commit is added to the repository; in the case of this bug none of those tests caught the bug. I'm still not able to reproduce it (other than occasionally needing to resubmit my username and password when logging in, which isn't even exactly what is being reported here). So testing such as you propose is performed, but did not catch this particular instance.

[AlviseNicoletti]

I'm in a worse scenario ... if I update to current version I just have fatal errors.

I don't understand ... fresh install works, but I can't update even deleting phpmyadmin tables.

[ibennetch]

I don't think setting the secure option for session_set_cookie_paramsto false is ideal.

Based on comments from nik6018 and others, it seems the problem continues even if the cookies are cleared, which really eliminates a lot of the obvious causes that I see. Without having a clear way to reproduce this or seeing a clear cause, it's difficult to pinpoint the problem without spending more time on it directly. Of course, this is a high-priority problem, but I don't have any answer yet.

As a workaround, you should be able to edit libraries/common.inc.php and comment out lines 188-196, the if block beginning with if (isset($_POST['set_session']) && $_POST['set_session'] != session_id()) {.

[gavtaylor]

Ive been getting this error since upgrading to 4.8.0 as well but I dont access via http, my install is https only.

the message is being triggered when trying to login after a session has expired, opening the login page in a private tab logs in first time. a standard tab errors on first attempt, logs in on the second.

[gavtaylor]

no it logs in first time on private tabs, standard tabs login first time too if I log out and open a new window. its just the expired session triggering this error for me.

I just wanted to mention that my install is HTTPS only, everyone commenting so far has mentioned they also login via http.

I use Firefox (dev edition) but have tested in chrome (stable) as well in case it was a brwoser niggle.

[zangwill]

In my case, I disabled the chrome extension Katalon Recorder (Selenium IDE for Chrome) and it fixed.

[nuxwin]

When login the first time through HTTPS, a secure cookie is set... The problem is that if an user logout and then attempt to login again through HTTP, that will fails because there is already a secure cookie set that of course cannot be sent through HTTP. Same behavior occurs for a session timeout when an user need login again. Basically, if a secure cookie is set, user will have to login through HTTPS only.

There are some browsers allowing setting secure cookies via HTTP protocol but that is a wrong behavior which has been recently deprecated (For instance: FF 52).

There are not reliable solution here. Once the secure cookie is set and if an user want login through HTTP, it will have to remove the secure cookie first. The annoying thing is that you cannot unset a secure cookie for a specific domain via HTTP protocol... The only solution I see here is to set specific session name for both HTTP and HTTPS but this could lead to side effects I think.

[williamdes]

Thanks to https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin
Here is the source code of "Safe Torrent Scanner"
aegnopegbbhjeeiganiajffnalhlkkjb.zip

If someone finds what is wrong faster than me, post it here ;)

[rangka-kacang]

I’m pretty sure this has nothing to do with Chrome extension. It’s been awhile since I last use the cookie setting. I’ll test this in the next morning and let you guys know the soonest. This bug was reported since Nginx 1.12 and PHP5 but now it’s already like what? Nginx 1.17 and PHP7 yet the bug is still here. We need a better insect repellent equipment... since I’m on Ubuntu and running 4.9.0.1 with mariadb 10.4 i’ll setup a vm to see if this is still the case, otherwise it’s a windows thing 😂

[williamdes]

@rangka-kacang I would not be so sure, I had the issue with the extension and also without
But this issue can be reproduced by very different factors

I looked at the the code of the extension and it does very strange things with 'set-cookies' instructions

[rangka-kacang]

I've tested this just now and I can't produce it anymore. My environment are as follows (and is a fresh install, no extensions, nothing, just stock iso):

ubuntu@ubuntu:~$ uname -a
Linux ubuntu 5.0.0-27-generic #28~18.04.1-Ubuntu SMP Thu Aug 22 03:00:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ubuntu:~$ lsb_release -d
Description:	Ubuntu 18.04.3 LTS
ubuntu@ubuntu:~$ mariadb -V
mariadb  Ver 15.1 Distrib 10.4.8-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
ubuntu@ubuntu:~$ nginx -v
nginx version: nginx/1.17.3
ubuntu@ubuntu:~$ php -v
PHP 7.3.9-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Sep  2 2019 12:54:24) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.9, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.9-1+ubuntu18.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

I have this on my config.inc.php:

<?php
$cfg['blowfish_secret'] = 'hidden';
$cfg['Servers'][1]['auth_type'] = 'cookie';
$cfg['Servers'][1]['host'] = 'localhost';
$cfg['Servers'][1]['compress'] = true;
$cfg['Servers'][1]['AllowNoPassword'] = false;
$cfg['Servers'][1]['controluser'] = 'hidden';
$cfg['Servers'][1]['controlpass'] = 'hidden';
$cfg['Servers'][1]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][1]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][1]['relation'] = 'pma__relation';
$cfg['Servers'][1]['table_info'] = 'pma__table_info';
$cfg['Servers'][1]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][1]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][1]['column_info'] = 'pma__column_info';
$cfg['Servers'][1]['history'] = 'pma__history';
$cfg['Servers'][1]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][1]['tracking'] = 'pma__tracking';
$cfg['Servers'][1]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][1]['recent'] = 'pma__recent';
$cfg['Servers'][1]['favorite'] = 'pma__favorite';
$cfg['Servers'][1]['users'] = 'pma__users';
$cfg['Servers'][1]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][1]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][1]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][1]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][1]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][1]['export_templates'] = 'pma__export_templates';
$cfg['UploadDir'] = 'tmp';
$cfg['SaveDir'] = 'tmp';
$cfg['TempDir'] = 'tmp';
$cfg['ShowAll'] = true;

I have no problem accessing and logging in via localhost. I'm using phpMyAdmin 4.9.0.1 from https://files.phpmyadmin.net/phpMyAdmin/4.9.0.1/phpMyAdmin-4.9.0.1-all-languages.zip and Google Chrome Version 77.0.3865.75 (Official Build) (64-bit) from the official repository deb [arch=amd64] https://dl.google.com/linux/chrome/deb stable main -- Tested on both normal and incognito, no problem.

[emmanuelkolawole4]

hello, i just started using laragon and i'm getting the error:
There is mismatch between HTTPS indicated on the server and client. This can lead to non working phpMyAdmin or a security risk. Please fix your server configuration to indicate HTTPS properly.

please could someone walk me through solving this problem?

[dausruddin]

I am using squid proxy (latest) and phpmyadmin refusing to work on it.
Also when I left the tab for some time and it logged out, it will give the same error when I hit login button. Refreshing webpage seems to fix it, but I am hoping for a permanent solution.

[williamdes]

So this issue is now closed in next version, the unfixed (for now) part of this issue is #13172

Please, everybody that can do it:
Apply patch 21695cf (https://github.com/phpmyadmin/phpmyadmin/commit/21695cfeb743d62098abed74a9cceb79bec92560.patch)

And comment about if it works or not on your setup

[click0]

And how to apply this patch?

[ibennetch]

This fix was released as part of phpMyAdmin release 4.9.2. If you are able, please update to that version and let us know in this ticket if you continue to have trouble.

[williamdes]

wget https://github.com/phpmyadmin/phpmyadmin/commit/21695cfeb743d62098abed74a9cceb79bec92560.patch
git apply 21695cfeb743d62098abed74a9cceb79bec92560.patch

But the best option is still to update to 4.9.2

[Pantyboy]

I have just updated to 4.9.2 and it's made no difference. I'm still getting the same error.

[click0]

Thanks.
Updating my problem solved.

[click0]

With the link https://example.com/phpmyadmin/ everything is ok.
In the case of a view link
https://example.com////phpmyadmin/
We get the error:
Failed to set session cookie. Maybe you are using HTTP instead of HTTPS to access phpMyAdmin.

[CallMarl]

Hello I upgrade phpmyadmin to 4.9.2 then the bug is style here.

[CallMarl]

Hello I upgrade phpmyadmin to 4.9.2 then the bug is style here.

My url is: https://10.17.1.109:8443/index.php

[Btazbt]

Getting the same error. Tried using Chrome (all extension disabled), IE, Firefox. Tried options of clearing cookies. Nothing in phpmyadmin, php, or apache error logs. No luck.

using myPHPAdmin 4.9.2 with PHP Version 7.3.12 and MySQL version 8.0.18 with standard authentication.

Failed to set session cookie. Maybe you are using HTTP instead of HTTPS to access phpMyAdmin.

[williamdes]

For everyone that has the issue using 4.9.2 and higher please post in #15634
there is too much discussion here and some issues of this one are solved.
But not all the issues, still some edge cases to fix

[CallMarl]

Hey,
For me applying 4.9.2 didn't solve the mistake on Chrome but on Firefox. As I said previously in my config I have spécifique port and self-signed certificate.
I try new installation from the git repo not the tar then apply many différentes tag:
(I also try STABLE branch)

• RELEASE_4_8_1
• RELEASE_4_8_5
• RELEASE_4_9_0
• RELEASE_4_9_1
• RELEASE_4_9_2

Finally work on Chrome RELEASE_4_7_9:

git checkout tags/RELEASE_4_7_9
composer install --no-dev --optimize-autoloader -d /var/www/phpmyadmin

If needed see my config:

Env

Debian buster
php-7.3
php7.3-fpm
nginx/1.16.1

• nginx_phpmyadmin.conf

upstream php-fpm-phpmyadmin{
	server	admin.slash16.local:9000;
}

server {
	listen 8443 ssl;
	listen [::]:8443 ssl;

	ssl_certificate /phpmyadmin.crt;
	ssl_certificate_key /phpmyadmin.key;

	server_name _;
	root /var/www/phpmyadmin/;
	index index.php;

	location / {
		rewrite ^.*$ /index.php;
	}

	location ~ \.(?:css|js|jpeg|jpg|gif|png|woff|woff2|ttf)$ {
		try_files $uri /$uri =404;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass php-fpm-phpmyadmin;
	}

	location ~ /\.ht {
		deny all;
	}
}

• fpm_phpmyadmin.conf

[phpmyadmin]

user = www-data
group = www-data

listen.owner = www-data
listen.group = www-data
listen = 0.0.0.0:9000

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

• config.inc.php

<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
 * phpMyAdmin sample configuration, you can use it as base for
 * manual configuration. For easier setup you can use setup/
 *
 * All directives are explained in documentation in the doc/ folder
 * or at <https://docs.phpmyadmin.net/>.
 *
 * @package PhpMyAdmin
 */

/**
 * This is needed for cookie based authentication to encrypt password in
 * cookie. Needs to be 32 chars long.
 */                                         
$cfg['blowfish_secret'] = "111111111111111111111111111111111"; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

/**
 * Servers configuration
 */
/**
 * First server
 */
$i = 1;
/* Server parameters */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['host'] = 'db1.slash16.local';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['extension'] = 'mysql';

/**
 * Second server
 */
$i = 2;
/* Server parameters */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['host'] = 'db2.slash16.local';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['extension'] = 'mysql';

/**
 * Third server
 */
$i = 3;
/* Server parameters */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['host'] = 'preprod.slash16.local';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['extension'] = 'mysql';

[free4myself]

I figured out that chrome extensions can be a cause for this problem.
In my case it was the safe torrent scanner chrome extension.
Very interesting that such can produce a bug like this.
I do not think it is a phpMyAdmin issue.

I also have the same issue. Once I turn off the "Safe Torrent Scanner" plugin, it now working again.

Also in my case " Safe torrent scanner " chrome extension caused the login problem. So I disable it .

[Keagel]

In my case it was caused by the Firefox extension 'Disable HTML5 Autoplay'. Really weird.