#341 (ok 2.10.0) broken cookie login in multiserver configuration

closed-fixed
1
2007-02-28
2007-01-07
Jürgen Wind
No

this patch repairs a broken cookie login attempt in multiserver configurations where a wrong server is selected after sending user and pw data.

libraries/auth/cookie.auth.lib.php Revision 9333
Mon Aug 21 11:55:32 2006 UTC by lem9

line 409 ...
if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
$servers_cnt = count($cfg['Servers']);
+ if ( isset($_REQUEST['server']) && 0 < $_REQUEST['server'] && $_REQUEST['server'] <= $servers_cnt ) {
+ $server = $_REQUEST['server'];
+ $cfg['Server'] = $cfg['Servers'][$server];
+ }
+ else
for ($i = 1; $i <= $servers_cnt; $i++) {
if (isset($cfg['Servers'][$i])
...

to reproduce see attached config.inc.php

Discussion

  • Jürgen Wind
    Jürgen Wind
    2007-01-07

    demo config.inc.php

     
    Attachments
  • Jürgen Wind
    Jürgen Wind
    2007-01-07

    • summary: broken cookie login in multiserver configurations --> 2.9 broken cookie login in multiserver configurations
     
  • Jürgen Wind
    Jürgen Wind
    2007-01-07

    Logged In: YES
    user_id=1383652
    Originator: YES

    Same problem in pma 2.10 trunc, but reproducable only with real users, not contained in the demo config.inc.php (tested with FF and IE6 ). Seems to be dependent on actual setting of $cfg['Servers'][$i]['user'] . without the patch the for loop stops randomly at any matching host/user combination. Maybe some additional security measures are needed ( like "intval($_POST['server']" or some such).

     
  • Jürgen Wind
    Jürgen Wind
    2007-01-07

    • summary: 2.9 broken cookie login in multiserver configurations --> broken cookie login in multiserver configurations
     
  • Michal Čihař
    Michal Čihař
    2007-01-18

    • assigned_to: nobody --> nijel
     
  • Michal Čihař
    Michal Čihař
    2007-01-18

    Logged In: YES
    user_id=192186
    Originator: NO

    The idea behind this code was if user logins under same condition as some preconfigured server, it will be automatically switched. The problem with current code is that it only compares hostname and username, while it should probably compare all configuration options.

    I'm more inclined to completely removing this autodetection, as I don't see real need for it.

     
  • Michal Čihař
    Michal Čihař
    2007-01-18

    Logged In: YES
    user_id=192186
    Originator: NO

    After more looking into code, it should be used for setting eg. different pmadb for some user. So I will only improve checking matching server to match really same servers.

     
  • Michal Čihař
    Michal Čihař
    2007-01-18

    Logged In: YES
    user_id=192186
    Originator: NO

    I implemented fix in SVN trunk, can you please verify it works okay?

     
  • Michal Čihař
    Michal Čihař
    2007-01-18

    • priority: 5 --> 1
    • summary: broken cookie login in multiserver configurations --> (ok 2.10.0) broken cookie login in multiserver configuration
    • status: open --> open-fixed
     
  • Jürgen Wind
    Jürgen Wind
    2007-01-18

    Logged In: YES
    user_id=1383652
    Originator: YES

    i tested "trunk" with my problematic config.inc.php -
    now it works like exspected :)

     
  • Marc Delisle
    Marc Delisle
    2007-02-28

    • status: open-fixed --> closed-fixed