#341 (ok 2.10.0) broken cookie login in multiserver configuration

closed-fixed
1
2007-02-28
2007-01-07
No

this patch repairs a broken cookie login attempt in multiserver configurations where a wrong server is selected after sending user and pw data.

libraries/auth/cookie.auth.lib.php Revision 9333
Mon Aug 21 11:55:32 2006 UTC by lem9

line 409 ...
if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
$servers_cnt = count($cfg['Servers']);
+ if ( isset($_REQUEST['server']) && 0 < $_REQUEST['server'] && $_REQUEST['server'] <= $servers_cnt ) {
+ $server = $_REQUEST['server'];
+ $cfg['Server'] = $cfg['Servers'][$server];
+ }
+ else
for ($i = 1; $i <= $servers_cnt; $i++) {
if (isset($cfg['Servers'][$i])
...

to reproduce see attached config.inc.php

Discussion

  • Jürgen Wind

    Jürgen Wind - 2007-01-07

    demo config.inc.php

     
  • Jürgen Wind

    Jürgen Wind - 2007-01-07
    • summary: broken cookie login in multiserver configurations --> 2.9 broken cookie login in multiserver configurations
     
  • Jürgen Wind

    Jürgen Wind - 2007-01-07

    Logged In: YES
    user_id=1383652
    Originator: YES

    Same problem in pma 2.10 trunc, but reproducable only with real users, not contained in the demo config.inc.php (tested with FF and IE6 ). Seems to be dependent on actual setting of $cfg['Servers'][$i]['user'] . without the patch the for loop stops randomly at any matching host/user combination. Maybe some additional security measures are needed ( like "intval($_POST['server']" or some such).

     
  • Jürgen Wind

    Jürgen Wind - 2007-01-07
    • summary: 2.9 broken cookie login in multiserver configurations --> broken cookie login in multiserver configurations
     
  • Michal Čihař

    Michal Čihař - 2007-01-18
    • assigned_to: nobody --> nijel
     
  • Michal Čihař

    Michal Čihař - 2007-01-18

    Logged In: YES
    user_id=192186
    Originator: NO

    The idea behind this code was if user logins under same condition as some preconfigured server, it will be automatically switched. The problem with current code is that it only compares hostname and username, while it should probably compare all configuration options.

    I'm more inclined to completely removing this autodetection, as I don't see real need for it.

     
  • Michal Čihař

    Michal Čihař - 2007-01-18

    Logged In: YES
    user_id=192186
    Originator: NO

    After more looking into code, it should be used for setting eg. different pmadb for some user. So I will only improve checking matching server to match really same servers.

     
  • Michal Čihař

    Michal Čihař - 2007-01-18

    Logged In: YES
    user_id=192186
    Originator: NO

    I implemented fix in SVN trunk, can you please verify it works okay?

     
  • Michal Čihař

    Michal Čihař - 2007-01-18
    • priority: 5 --> 1
    • summary: broken cookie login in multiserver configurations --> (ok 2.10.0) broken cookie login in multiserver configuration
    • status: open --> open-fixed
     
  • Jürgen Wind

    Jürgen Wind - 2007-01-18

    Logged In: YES
    user_id=1383652
    Originator: YES

    i tested "trunk" with my problematic config.inc.php -
    now it works like exspected :)

     
  • Marc Delisle

    Marc Delisle - 2007-02-28
    • status: open-fixed --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks