#4227 (ok 4.3) Token mismatch when using HTTP AUTH and the SESSION expires


I'm using PMA 4.1.4, PHP 5.5 and been having this issue since the release of PMA 4.x.

I'm using HTTP authentication, and whenever my SESSION expires (whether after some idle period or by deleting the phpmyadmin SESSION cookie), clicking on anything triggers a "Error: Token Mismatch" error, which can only be fixed by clearing the URL (removing the hashtag) and reloading the page (so a new token is generated).
This is VERY annoying, because whenever my SESSION expires I have to change the URL and reload PMA, which makes no sense since I'm still HTTP authenticated.

IMHO, when PMA gets a token mismatch, it should check if the HTTP auth info is still correct, and if it is, update the token and move on like nothing happened...

Steps to reproduce:

1) Use HTTP auth on settings
2) Sign in to PMA
3) Expire your SESSION (leaving PMA go idle for a while or deleting the phpmyadmin SESSION cookie)
4) Click anywhere (try to browse, show structure, change DB, anything really)
5) Notice the "Error: Token Mismatch" error and how you can only get rid of it by clearing the URL and reloading the page


  • Felipe Guaycuru Franco

    Also please note that this BUG is NOT a duplicate of #3893 , since I can use PMA normally until my SESSION expires...

    Last edit: Felipe Guaycuru Franco 2014-01-12
  • rob logan

    rob logan - 2014-01-12

    able to reproduce in FreeBSD 10.0-RC5 phpMyAdmin-4.1.4 and changing from auth_type = http to cookie greatly increased usability (http session is extremely short, like ~30sec)

  • Ann + J.M.

    Ann + J.M. - 2014-01-15
    • labels: http auth, token, mismatch --> http auth, token, auth, session
    • Priority: 7 --> 5
  • Viduranga Wijesooriya

    Is this fixed?, because I can't seem to reproduce the issue in latest git version

  • Olivier - interfaSys

    Confirmed on FreeBSD + Apache + PHP-FPM
    PMA: 4.1.7

  • Aayush

    Aayush - 2014-03-20

    i can reproduce this bug in PMA 4.1.7, 4.1.8, 4.1.9
    but not in QA_4_1 or master branch.. is this because the bug is fixed??
    please confirm

  • Felipe Guaycuru Franco

    I can confirm that the issue still happens on PMA 4.2.3, and it also happens when using config as auth method.

  • Madhura Jayaratne

    A workaround for this problem has been added to the master branch of our GIT repository. Does that fix the issue for you?

  • Olivier - interfaSys

    As the patch does not apply cleanly on the latest release, I'll wait for the next RC.

    EDIT: The commits needed to be squashed. I'll provide feedback later on today.

    Last edit: Olivier - interfaSys 2014-11-27
  • Olivier - interfaSys

    That worked! Excellent news. Thanks for the fix :)

  • Madhura Jayaratne

    • assigned_to: Madhura Jayaratne
  • Madhura Jayaratne

    • summary: Token mismatch when using HTTP AUTH and the SESSION expires --> (ok 4.3) Token mismatch when using HTTP AUTH and the SESSION expires
    • status: open --> resolved
    • Priority: 5 --> 1
  • Marc Delisle

    Marc Delisle - 2014-12-05
    • Status: resolved --> fixed