4.9.2+ Failed to set session cookie. Maybe you are using HTTP instead of HTTPS #15634
Comments
|
@Btazbt Are you using a load balancer, a proxy,
Are you using Microsoft IIS? |
williamdes
added
Bug
williamdes
changed the title
|
With the link https://example.com/phpmyadmin/ everything is ok. |
|
@click0 Okay, can you send as much info about your setup ? I assume you are using 4.9.2 ;) |
|
phpMyAdmin Version 4.9.2 config.inc.php: <?php
$cfg['PmaAbsoluteUri_DisableWarning'] = TRUE;
$cfg['blowfish_secret'] = 'ccccccccccccccccc';
$cfg['Servers'][1] = array(
'verbose' => 'MySQL',
'auth_type' => 'cookie',
'user' => '',
'host' => 'localhost',
'ForceSSL' => 'false',
'TempDir' => './tmp/'
);
|
|
@click0 So you are not using a proxy and access phpMyAdmin with the nginx server Can you paste the nginx config here ? |
|
You are using |
|
@williamdes A piece of nginx config to use phpmyadmin:
...
location /111111111111 {
alias /usr/local/www/phpMyAdmin;
autoindex off;
index index.php;
allow all;
}
location ^~ /111111111111/libraries {deny all;}
location ^~ /111111111111/setup/lib {deny all;}
location ~* ^/111111111111/(.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf))$ {
alias /usr/local/www/phpMyAdmin/$1;
}
location ~ ^/111111111111/(.*\.php)$ {
fastcgi_pass unix:/var/run/php.www.sock;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/www/phpMyAdmin/$1;
fastcgi_param DOCUMENT_ROOT /usr/local/www/phpMyAdmin;
}
... |
|
@click0 I am confused, I could not reproduce the issue you have server {
listen 443 ssl http2;
listen 80;
access_log /var/log/nginx/access_localhost.pma.ssl.local.log;
error_log /var/log/nginx/error_localhost.pma.ssl.local.log error;
server_name pma.ssl.local;
index index.php index.html;
location /111111111111 {
alias /mnt/Dev/pma/4.9.2;
autoindex off;
index index.php;
allow all;
}
location ^~ /111111111111/libraries {deny all;}
location ^~ /111111111111/setup/lib {deny all;}
location ~* ^/111111111111/(.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf))$ {
alias /mnt/Dev/pma/4.9.2/$1;
}
location ~ ^/111111111111/(.*\.php)$ {
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /mnt/Dev/pma/4.9.2/$1;
fastcgi_param DOCUMENT_ROOT /mnt/Dev/pma/4.9.2;
}
}<?php
$cfg['PmaAbsoluteUri_DisableWarning'] = TRUE;
$cfg['blowfish_secret'] = 'are,orgneigelgnergliengreoigregeilrguelrgeug';
$cfg['Servers'][1] = array(
'verbose' => 'MySQL',
'auth_type' => 'cookie',
'user' => '',
'host' => '172.20.0.1',
'ForceSSL' => 'false',
'TempDir' => './tmp/'
);php 7.2 and php7.3 |
|
@click0 I even tried free BSD 12 for the first time ! |
|
I also have memcache as a repository for php sessions: |
|
Are you sure you can not reproduce the problem when you login inside the panel at https://pma.ssl.local///////111111111111/ ? |
I had totally missed that, reproduced ! |
The cookie path is wrong or from another point of view the URL of the user is wrong |
|
Check still such url - https://pma.ssl.local:8443/index.php |
Works fine |
|
(the script can be vulnerable but adds some indication of the mistake) diff --git a/libraries/common.inc.php b/libraries/common.inc.php
index b938bd00983..949ba19603f 100644
--- a/libraries/common.inc.php
+++ b/libraries/common.inc.php
@@ -198,7 +198,9 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
trigger_error(
__(
'Failed to set session cookie. Maybe you are using '
- . 'HTTP instead of HTTPS to access phpMyAdmin.'
+ . 'HTTP instead of HTTPS to access phpMyAdmin. '
+ . 'We think the path is ' . $GLOBALS['PMA_Config']->getRootPath() . ' '
+ . 'and the path you are using is ' . str_replace(basename($_SERVER['PHP_SELF']), '', $_SERVER['REQUEST_URI']) . ''
),
E_USER_ERROR
);
|
|
This is a bad thought. |
I agree |
nothing special. it's a home server on a windows platform. WordPress works fine as a user and admin |
|
@Btazbt can you apply the diff and send the new message? |
Here is the error.
phpmyadmin is installed in |
|
Thank you @Btazbt for this precious information |
|
@CallMarl can you try to apply the patch ? |
|
I think I'm nearer a method of reproducing this issue:
I was previously signed in with, say, In Chrome's network tab, I can see the correct username/password for My login request also sends a set of cookies, which are: The response back includes four cookies: So - two identical phpMyAdmin_https cookies. One is a replica of the (expired) session cookie that I sent with my signin (starting q5c0). That session cookie is for a different user, though. The other one is a new-looking one. Upon repeating the login attempt, there's a Cookies being sent this time are...
...and this time, I'm given these cookies in return, in a successful 302 to the dashboard In this case, I'm still being sent two identical Is this helpful, @williamdes ? |
|
I just made a fresh install of phpMyAdmin on Opensuse 43 and keep getting this cookie error. Been working on it for 2 hours now and simply can't login. Clearing cookies/cache doesn't work. Incognito doesn't work. Changing inc.config.php doesn't work either. Running version 4.9.2. |
|
@dspaan are you using Apache? |
|
Yes, Apache. For some reason it's working now after changed config.inc.php with auth_type config and a blowfish key. Which config do you want to see? /etc/apache2/httpd.conf? |
Yeah it "works" because it does not use cookies (if I am right) Any non standard config file you modified if possible, did you follow a tutorial ? |
|
No i didn't follow a tutorial. I only modified confic.inc.php by reading the official phpmyadmin documentation. I tried 3 different browsers. Can i do anything to help figure out what's causing this? |
|
Okay then:
I think we will have a good starting point here :) Could you apply #15634 (comment) and let us know the error message ? |
|
No proxy |
|
Ok i have tried to reproduce the problem and installed phpMyAdmin on two other servers but it worked flawlessly. I noticed the config.sample.inc.php was owned by root:root and the non-working configuration had wwwrun:www so i changed the ownership of that file to wwwrun:www and my install broke immediately again. Now i changed it back to root:root but it's still broken and can't get it working anymore even by using config.inc.php with blowfish/config auth it still not working...........mind is blown. I broke my install again. I have also installed the suggested patch and then i get this error output: Failed to set session cookie. Maybe you are using HTTP instead of HTTPS to access phpMyAdmin. We think the path is /phpMyAdmin/ and the path you are using is //phpMyAdmin/ |
|
No idea what's happening but my install is still broken. I made a tar.gz from the /srv/www/htdocs/phpMyAdmin of a server where it is working fine and exacted that on the problem server but it's still not working. |
|
And if you |
|
Yeah i already tried that and lots of other permission combinations. But for whatever reason right now it's working again while during my last post it didn't and i did not change anything in between. So maybe a reboot or another mechanism fixed it. Even though i restarted apache after every change i made. |
Quite strange, thank you for the feedback. |
|
Example URL: https://pma.ssl.local///////111111111111/
Source: #15634 (comment) @nijel did you intentionally remove consecutive characters |
|
I am also having this issue with version Doesn't let me login via Chrome (on Windows 10) always giving the error I've ensured no addons to Chrome are causing the issue. Disabled all. |
|
@bakhtiya could you delete all the cookies for the "website" phpMyAdmin is on, in the developer console ? |
|
@williamdes - I'm still getting intermittent errors when trying to log in on Chrome. When it manifests itself, the behaviour is always "Failed to set session cookie. Maybe you are using HTTP instead of HTTPS" on the first attempt; and then it always works on the second attempt. This does not happen using Firefox, and only appears to be an issue in Chrome. Above, I highlight that PHPMyAdmin is sending two conflicting Is this the same bug as is being otherwise discussed here, or is it worth spinning this bug report out separately? |
It seems to be the same bug, anyone that can work out a pull-request is very welcome :) |
|
My bug appears to be with session management - it seems to be setting the old session, before having a change of heart and setting a new session cookie. What I'm not fully understanding is this bit of foreach (['lifetime', 'path', 'domain', 'secure', 'httponly'] as $key) {
if (isset($sessionCookieParams[$key])) {
continue;
}
$sessionCookieParams[$key] = $defaultCookieParams($key);
}
if (isset($sessionCookieParams['samesite'])
&& ! in_array($sessionCookieParams['samesite'], ['Lax', 'Strict'])) {
// Not a valid value for samesite
unset($sessionCookieParams['samesite']);
}
if (version_compare(PHP_VERSION, '7.3.0', '>=')) {
session_set_cookie_params($sessionCookieParams);
}
session_set_cookie_params(
$sessionCookieParams['lifetime'],
$sessionCookieParams['path'],
$sessionCookieParams['domain'],
$sessionCookieParams['secure'],
$sessionCookieParams['httponly']
);If you have PHP v7.3.0 or above - which I do! - this would appear to set a cookie twice - once using the $sessionCookieParams full array with the potential of a 'samesite' cookie attribute, which is only available in PHP v7.3.0 and above... but THEN, if you're running PHP v7.3.0, it immediately sets the cookie all over again without that 'samesite' cookie attribute in the older format. This is entirely unrelated, I suspect since the issue isn't setting an identical cookie twice, it's setting an identically-named cookie twice with different content. But the above would seem as if it's missing an |
You pointed out one potential bug, I fixed it by 3307479 |
|
To me it seems not to work ... even in phpMyAdmin 5.0.4. |
Could you open a new issue so we can discuss and find out what is wrong? |
|
Same here. config.inc.php: $cfg['blowfish_secret'] = 'MAKSED'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
/*
* Servers configuration
*/
$i = 0;
// Change this to use the project and instance that you've created.
$host = '/cloudsql/{{ MASKED }}';
$type = 'socket';
/*
* First server
*/
$i++;
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
/* Server parameters */
$cfg['Servers'][$i]['socket'] = $host;
$cfg['Servers'][$i]['connect_type'] = $type;
$cfg['Servers'][$i]['compress'] = false;
/* Select mysql if your server does not have mysqli */
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['AllowNoPassword'] = false;
/*
* End of servers configuration
*/
/*
* Directories for saving/loading files from server
*/
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
/*
* Other settings
*/
$cfg['PmaNoRelation_DisableWarning'] = true;
$cfg['ExecTimeLimit'] = 60;
$cfg['CheckConfigurationPermissions'] = false;
$cfg['DefaultCharset'] = 'utf8mb4';
$cfg['TempDir'] = '/tmp';app.yaml service: phpmyadmin
runtime: php74
instance_class: F2
automatic_scaling:
min_instances: 0
max_instances: 2
handlers:
- url: /(.+\.(ico|jpg|png|gif|htm|html|css|js))$
static_files: \1
upload: (.+\.(ico|jpg|png|gif|htm|html|css|js))$
- url: .*
script: auto
secure: alwaysphp.ini
|
Getting the same error. Tried using Chrome (all extension disabled), IE, Firefox. Tried options of clearing cookies. Nothing in phpmyadmin, php, or apache error logs. No luck.
using myPHPAdmin 4.9.2 with PHP Version 7.3.12 and MySQL version 8.0.18 with standard authentication.
Originally posted by @Btazbt in #14184 (comment)
The text was updated successfully, but these errors were encountered: