Multiple Tabs, Database connections (auth_type cookie) : Error Token Mismatch #12301
Comments
|
I'm not sure if it is related to your issue but I'm getting the token mismatch on every action. I've asked it yesterday on stackoverflow but it might be useful for the devs here, so: https://stackoverflow.com/questions/37682465/phpmyadmin-4-6-2-token-mismatch |
|
@jamesyooda What phpMyAdmin version do you use? @Mattie112 Your issue will be most likely different, so either keep it on stackoverflow or open separate issue, thanks. |
|
My phpmyadmin version is written in my original post, 4.6 or to be precise, 4.6.2, the latest version. |
|
I have noticed recently, that for whatever reason, when you open a new tab and connection, it generates a new token for that connection, which is normal; but what isn't normal, is the previous connections I have already opened on different servers, try to obtain the new token, instead of keeping their original token. I noticed this by doing a ctrl + F5 on the previous tabs, and noticed that they all obtained the token of the new connection I just opened. |
|
Okay, now I understand what happens - we generate new session on login, this includes new token. This overwrites old session cookie and thus the old session data (including token) are not accessible. So I think we need to generate new session only in case user is not already authenticated on different server. |
|
@nijel Allright thx, I will see if I get a reply on stackoverflow and if not I will open a separate issue, thanks! |
|
So is there a possible fix for this? I'm a systems administrator, not a php coder, so I wouldn't know where to start to debug this. |
|
Another bit of info, is my collegues use multiple DIFFERENT users on multiple different sql servers. This needs to be possible without any token mismatch problems. |
|
It really doesn't matter what users are that, what matters is one browser session. |
|
Alright, how do things work here? Does someone have to be assigned to work on the problem? Are you working on the problem? |
|
You can see nobody is assigned, so nobody from our team is working on the fix right now... |
|
I've upgraded our management system today (from 4.0.x to the latest version), and where this worked fine before, now it's broken. This issue has been open for 10 months now, perhaps it's time to bump the priority? |
|
Workaround (v4.7.0), in ./libraries/plugins/AuthenticationPlugin.php, replace logOut() with: public function logOut()
{
global $PHP_AUTH_USER, $PHP_AUTH_PW;
/* Obtain redirect URL (before doing logout) */
if (! empty($GLOBALS['cfg']['Server']['LogoutURL'])) {
$redirect_url = $GLOBALS['cfg']['Server']['LogoutURL'];
} else {
$redirect_url = $this->getLoginFormURL();
}
/* Get a logged-in server count */
$servers = 0;
foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
if (isset($_COOKIE['pmaAuth-' . $key])) {
$servers++;
}
}
/* No more servers logged in? */
if ( ! $servers) {
// kill the session
$_SESSION = array();
session_destroy();
}
/* Clear credentials */
$PHP_AUTH_USER = '';
$PHP_AUTH_PW = '';
/* Redirect to login form (or configured URL) */
PMA_sendHeaderLocation($redirect_url);
}It will only delete the session once the last server is logged out, so other open windows will still work when you log out of one server. Only issue I still have is when I try to login in another server, it sometimes fails and it returns to the login screen, and sometimes it succeeds but opens with the first server in the dropdown, not the one I've logged into (root passwords all the same for all nodes, I'm a lazy tester ;)). |
|
WanWizard will this work for the version below? I have just installed this on a server and we have this issue when doing this for years with prior versions. |
|
From what I can see in a quick code scan, the Just replace /* delete user's choices that were stored in session */
$_SESSION = array();
if (!defined('TESTSUITE')) {
session_destroy();
}by /* Get a logged-in server count */
$servers = 0;
foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
if (isset($_COOKIE['pmaAuth-' . $key])) {
$servers++;
}
}
/* No more servers logged in? */
if ( ! $servers and ! defined('TESTSUITE')) {
// kill the session
$_SESSION = array();
session_destroy();
}don't forget to make a backup of the file, before you change it. Just in case... ;-) |
|
@WanWizard You fix makes sense, can you please create pull request for that? |
…in#12301 If you are logged-in into multiple database servers, logOut() logs you out of all of them. This fix will prevent that, and will only destroy the session when you log out of the last server.
|
No problem, PR created. |
|
Thanks, I will improve it a bit and merge. But that works only in case LoginCookieDeleteAll is set to false, what nobody of you have mentioned before... |
|
Didn't even know that flag existed. Thanks for the update. |
|
some problem on phpmyadmin 4.9.0.1 |
|
@stalker37 You are right but this is more #14235 for now |
I've found other topics on this problem, this problem exists since version 4 of pma at least, and has yet to be fixed.
There are some fix propositions but I don't understand, because there are 3 different fixes, all modifying different files, I have no idea which fix to apply, if not all 3.
That is why i'm reporting this problem again in the hopes of getting a clear answer. Also to be noted I get this error also in version 4.4 as well.
Steps to reproduce
Expected behaviour
Tell us what should happen
Open up mulitple tabs, on each tab connect to a different mysql server with the same user account, when trying to perform any action on either tabs, should be no problems
Actual behaviour
Tell us what happens instead
Open up multiple tabs, on each tab connect to a different mysql server with the same user account, when trying to perform any action on the other tabs, you get Error: Token Mismatch
Server configuration
Operating system:
Debian Jessie
Web server:
Apache2.4.10
Database:
SQL
PHP version:
PHP 7.0
phpMyAdmin version:
PMA 4.6
Client configuration
Browser:
Chrome
Operating system:
Windows 7
The text was updated successfully, but these errors were encountered: