#3893 Token mismatch error on every action

4.1.6
duplicate
auth (4)
1
2015-02-20
2013-04-28
No

I'm getting token mismatch on every link I click, and I can get only to the main menu screen, nothing else is working.

I attach image where you can see the bug and the version of php, mysql and phpMyAdmin I'm using. Also I'm Windows 7 and using xampp 1.8.1 and Chrome/26.0.1410.64.

Also here is the config file I build it with the setup option:

/ Servers configuration /
$i = 0;

/ Server: 127.0.0.1 [1] /
$i++;
$cfg['Servers'][$i]['verbose'] = '';
$cfg['Servers'][$i]['host'] = '127.0.0.1';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['nopassword'] = true;
$cfg['Servers'][$i]['auth_type'] = 'http';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
$cfg['Servers'][$i]['CountTables'] = true;

/ End of servers configuration /

$cfg['DefaultLang'] = 'en';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
$cfg['AllowArbitraryServer'] = true;
$cfg['UserprefsDeveloperTab'] = true;
$cfg['Error_Handler']['display'] = true;

1 Attachments

Related

Bugs: #3893

Discussion

<< < 1 2 (Page 2 of 2)
  • Giovanni Bechis

    Giovanni Bechis - 2014-02-03

    The problem is present also in 4.1.6 whenever I try to create a user if using a tcp connection, with session.auto_start=0 I have a "token mismatch" error, with session.auto_start=1 I have a "session expired" error, I think that after clicking the "go button" and executing server_privileges.php the token is regenerated.

     
  • Olivier - interfaSys

    I get the same problem with the latest PMA 4.1.5 and the URLs have 2 tokens, as described by Kissaki.

    It didn't happen on mod_php, but now that we've switched to PHP-FPM, the token times out.
    It doesn't happen with other apps, such as Horde, which also use the PHP session defaults (memcached), but PMA is the only one using http auth, if that makes a difference.

     
    Last edit: Olivier - interfaSys 2014-01-19
  • Marc Delisle

    Marc Delisle - 2014-02-05
    • Group: 4.0.0 --> 4.1.6
     
  • Olivier - interfaSys

    In 4.1.8, I don't have the double token in the URL any more, but I still get a token mismatch alert after I let PMS sit idle for a while.

     
  • Patrick Holz

    Patrick Holz - 2014-02-24

    Hi,

    we are using phpMyAdmin remotely on our RHEL5 servers. Some minor versions ago suddenly this error occured. It is not possible to create users via phpMyAdmin since then, we are getting "Token mismatch" everytime. All other functions are working fine.

    It doesn't matter how long a session has been running. Even immediately after logging in and trying to create a user the message pops up. I've tried all mentioned possible fixes, but none of them works.

    I can confirm that since 4.1.8 the two tokens in the URL are the same, but it doesn't solve the issue.

    Kind regards

     
  • .Loon

    .Loon - 2014-02-25

    ..don't use space characters in your pma-folder name!

    .Loon

     
  • Nosxxx

    Nosxxx - 2014-02-25

    Hey
    i have the same problem as Patrick Holz

     
    Last edit: Nosxxx 2014-02-25
  • stalker37

    stalker37 - 2014-03-22

    4.1.10 some issue. I cannnot add user from PMA - token mismatch

     
  • Marc Delisle

    Marc Delisle - 2014-03-22

    @stalker37: I have no problem adding a user under 4.1.10.

     
  • stalker37

    stalker37 - 2014-03-22

    Hmm.. I'm using nginx -> proxy 2 apache and ssl connect.
    PMA connect to mysql through tcp.

    mysql cli from webserver working fine.

     
  • Marc Delisle

    Marc Delisle - 2014-03-22

    @stalker37: did it work for you in 4.1.9?

     
  • stalker37

    stalker37 - 2014-03-22

    PMA 4.0.10 working fine on that setup

     
  • stalker37

    stalker37 - 2014-03-22

    4,1,9 not working too

     
  • Vitaly Lipatov

    Vitaly Lipatov - 2014-05-08

    I discovered AuthenticationCookie::authCheck() function has incorrect $GLOBALS['server'] value (1 instead 4 in my case), it breaks follow condition:
    if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {

    phpMyAdmin 4.1.14

     
    Last edit: Vitaly Lipatov 2014-05-08
  • Scott M

    Scott M - 2014-05-22

    Still seeing mismatch error when creating user on 4.2.2

    Done same as thread outlines, can log in fresh and as quickly as you can go to create user and click go, the mismatch error throws and you are dead in the water until you go and log in fresh again. Rather frustrating that I have to create my users at the CLI and then I can manage their permission through PMA. This is the only place I have experienced the mismatch error on 4.2.2 but have only been using it a couple of days.

     
  • bvhz

    bvhz - 2014-05-23

    It's actually this ajax call that causes the issue (it resets the cookie):

    /server_privileges.php?ajax_request=true&token=***&validate_username=true&username=***

    The quick fix is just to disabled it:
    /js/server_privileges.js line 188-209
    Comment out:
    /*
    $("#fieldset_add_user_login input[name='username']").live("focusout", function () {
    ***snip****
    });
    */

    You can now add users again :)

     
    Last edit: bvhz 2014-05-23
  • Gunter Grodotzki

    4.2.2 not working on Firefox (latest) and Chrome (latest)

     
  • simonswine

    simonswine - 2014-06-13

    Same problem here multi-server phpmyadmin configuration. As soon as a user is created on a server (not the first one), i'm getting an token mismatch error, due to the ajax request, which checks for a duplicate username.

    I was able to fix this behavior by with this litte PR. I also edited the error_handling.js, because after an JS-error occurred, i got the token mismatch message too.

    https://github.com/phpmyadmin/phpmyadmin/pull/1225

     
  • Marc Delisle

    Marc Delisle - 2014-06-14

    @simonswine: I have cherry-picked your patch for the upcoming 4.2.4 release, thanks.

     
    • ro bo

      ro bo - 2014-06-14

      Thispatch resolves a 12 months nightmare ... thanks Roger

      Inviato con AquaMail per Android
      http://www.aqua-mail.com

      Il 14 giugno 2014 15:23:27 "Marc Delisle" lem9@users.sf.net ha scritto:

      @simonswine: I have cherry-picked your patch for the upcoming 4.2.4
      release, thanks.


      [bugs:#3893] Token mismatch error on every action

      Status: open
      Group: 4.1.6
      Labels: auth Created: Sun Apr 28, 2013 02:02 PM UTC by Bojan Petkovski
      Last Updated: Fri Jun 13, 2014 03:37 PM UTC
      Owner: nobody

      I'm getting token mismatch on every link I click, and I can get only to
      the main menu screen, nothing else is working.

      I attach image where you can see the bug and the version of php, mysql and
      phpMyAdmin I'm using. Also I'm Windows 7 and using xampp 1.8.1 and
      Chrome/26.0.1410.64
      .

      Also here is the config file I build it with the setup option:

      / Servers configuration /
      $i = 0;

      / Server: 127.0.0.1 [1] /
      $i++;
      $cfg['Servers'][$i]['verbose'] = '';
      $cfg['Servers'][$i]['host'] = '127.0.0.1';
      $cfg['Servers'][$i]['port'] = '';
      $cfg['Servers'][$i]['socket'] = '';
      $cfg['Servers'][$i]['connect_type'] = 'tcp';
      $cfg['Servers'][$i]['extension'] = 'mysqli';
      $cfg['Servers'][$i]['nopassword'] = true;
      $cfg['Servers'][$i]['auth_type'] = 'http';
      $cfg['Servers'][$i]['user'] = 'root';
      $cfg['Servers'][$i]['password'] = '';
      $cfg['Servers'][$i]['AllowNoPassword'] = true;
      $cfg['Servers'][$i]['CountTables'] = true;

      / End of servers configuration /

      $cfg['DefaultLang'] = 'en';
      $cfg['ServerDefault'] = 1;
      $cfg['UploadDir'] = '';
      $cfg['SaveDir'] = '';
      $cfg['AllowArbitraryServer'] = true;
      $cfg['UserprefsDeveloperTab'] = true;
      $cfg['Error_Handler']['display'] = true;


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/phpmyadmin/bugs/3893/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

      Related

      Bugs: #3893

  • Marc Delisle

    Marc Delisle - 2014-06-14

    @ro bo: Please clarify: by nightmare, do you mean the case of token mismatch following a user creation, or another case?

     
  • Aurélien LEQUOY

    this happen on : 4.2.5

    when I updated my list of servers :

    my config.inc.php

    $servers = parse_ini_file("/data/www/photobox/configuration/db.config.ini.php",true);
    $hosts = array();

    foreach($servers as $server)
    {
    if ($server['driver'] === 'mysql')
    {
    $port = empty($server['port']) ? '' : ':'.$server['port'];
    $hosts[] = $server['hostname'].$port;
    }
    }

    $hosts = array_unique($hosts);
    usort($hosts, 'version_compare');

    foreach ($hosts as $host) {
    $i++;
    $cfg['Servers'][$i]['host'] = $host;
    $cfg['Servers'][$i]['port'] = '';
    $cfg['Servers'][$i]['socket'] = '';
    $cfg['Servers'][$i]['connect_type'] = 'tcp';
    $cfg['Servers'][$i]['compress'] = false;
    $cfg['Servers'][$i]['controluser'] = '';
    $cfg['Servers'][$i]['controlpass'] = '';
    $cfg['Servers'][$i]['auth_type'] = 'http';
    }

     
  • Peter VARGA

    Peter VARGA - 2014-10-21

    Yes, it is unbelievable annoying! Just like Apple: They decide what is good for the people and what do they need and what do they not need!

    I am using PMA behind a firewall without any public access and it would be an important feature to disable this annoying token check. You can get rid of this:
    In the script libraries/common.inc.php look for this code [line ~460]:

    if (PMA_isValid($_REQUEST['token'])) {
        $token_mismatch = ($_SESSION[' PMA_token '] != $_REQUEST['token']);
    }
    

    add this line after the if and the pain has an end:

    $token_mismatch = false;
    

    Best Regards,

     
  • Marc Delisle

    Marc Delisle - 2014-10-21

    Peter,
    which version are you running and where do you see the Token mismatch error?

    If we added a way to disable this, we would need strong warnings as not every server is behind a firewall, and the token is our best defense mechanism against external attacks.

     
    • Peter VARGA

      Peter VARGA - 2014-10-21

      4.2.10 but it was also already before.

      I agree regarding the strong warnings but at least there would be an option. If a "DAU" is using PMA then he can anyway exploit his configuration.
      The "token mismatch" message was annoying me that much so I decided to remove the check in the source code.

       
  • Olivier - interfaSys

    I can't speak for Peter, but we're still having the issue. Using PHP-FPM via mod_proxy_fcgid and HTTP auth for PMA.

    After leaving PMA alone for a while, I see inconsistent info in the URL.
    /index.php?db=&table=&server=1&target=&token=995b4698f00fc6837f882a9ef01c3579#PMAURL-3:sql.php?db=mydb&table=my_table&server=1&target=&token=b2486e2519cb2354222914d5a1da2509

     
  • Marc Delisle

    Marc Delisle - 2014-10-21

    Olivier,
    "still" meaning phpMyAdmin 4.2.10 or 4.2.10.1?

     
  • Olivier - interfaSys

    That was on 4.2.10, but I've just upgraded, so I will let it rest and post an update within the hour.

     
  • Marc Delisle

    Marc Delisle - 2014-10-21

    Olivier, there was no fix for this between 4.2.10 and 4.2.10.1; I just wanted to see if you are up to date.

    Do you see the token mismatch error only after a while, or immediately after login?

     
  • Olivier - interfaSys

    Ah :)
    After a while.
    The URL looks like this right now
    #PMAURL-3:sql.php?db=mydb&table=my_table&server=1&target=&token=1e4e066f8e1ac060f751922609e088c5

     
    Last edit: Olivier - interfaSys 2014-10-21
    • Marc Delisle

      Marc Delisle - 2014-10-21

      After a while, meaning after your PHP session has expired?

       
      • Olivier - interfaSys

        Yes, so after 24 minutes if I'm not mistaken (default value)

         
      • Olivier - interfaSys

        OK, so I waited and the URL didn't change...
        Links have only one token, the same one as posted above, but I get a token mismatch when clicking on links.

         
      • Olivier - interfaSys

        I get the "double URL" when I hit refresh in the browser. It clears the token and I can access PMA again.

         
        Last edit: Olivier - interfaSys 2014-10-21
  • Madhura Jayaratne

    A workaround for this problem has been added to the master branch of our GIT repository. Does that fix the issue for you?

     
  • Madhura Jayaratne

    • assigned_to: Madhura Jayaratne
     
  • Madhura Jayaratne

    • status: open --> duplicate
    • Priority: 5 --> 1
     
  • Miroslav Kubelik

    Thank you very much Madhura, Olivier for solving such long annoying bug.

     
  • Slave2theweb

    Slave2theweb - 2014-12-01

    Hi to all on here. I am having this same issue as the original poster. Difference is I am punching above my tech weight. It took me ages to get xampp installed on my local. I had to change permissions that I didn't know existed on my machine. Would it be possible to explain to a seriously tech knowledge deficient person like me how to solve this problem in a step by step explicit way. Would really appreciate any help I can get. I invested too much time to get installed at the outset to give up now. Did manage to actually get access again to myphpadmin after updating to the latest version but now I'm stuck at the same place as the original poster. Would hate to give up being so close to a fix but I am not understanding how to inplemement the solution you came to in the end. Thanks in advance of any potential help in helping a less techie guy! Cheers.

     
  • Miroslav Kubelik

    @Slave2theweb: this bug is fixed in 4.3, so wait for 4.3.0 release

     
  • Slave2theweb

    Slave2theweb - 2014-12-02

    That's really good news. Thanks for updating me Miroslav!

     
  • Patrick Holz

    Patrick Holz - 2014-12-10

    Hello everyone,

    since 4.3.x the bug is even worse for me. In previous versions, I only got the "token mismatch" error while creating new users. Now it occurs after every second or third SQL query, which is annoying our users a lot. I had to put the "$token_mismatch = false;" workaround back into libraries/common.inc.php. It doesn't matter how long the user has been logged in, so the sessions are not expired.

    CU, Patrick

     
  • Patrick Holz

    Patrick Holz - 2014-12-10

    Hi,

    indeed the patch solved the issue. Thanks a lot!

    CU, Patrick

     
<< < 1 2 (Page 2 of 2)