Debian Bug report logs - #499399
phpmyadmin: Ignores LoginCookieValidity

version graph

Package: phpmyadmin; Maintainer for phpmyadmin is Thijs Kinkhorst <thijs@debian.org>; Source for phpmyadmin is src:phpmyadmin.

Reported by: François Gannaz <francois.gannaz@free.fr>

Date: Thu, 18 Sep 2008 13:00:02 UTC

Severity: wishlist

Tags: fixed-upstream

Found in version phpmyadmin/4:2.11.8.1-1

Fixed in version phpmyadmin/4:3.2.0-1

Done: Michal Čihař <nijel@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://sf.net/support/tracker.php?aid=2127987

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#499399; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to François Gannaz <francois.gannaz@free.fr>:
New Bug report received and forwarded. Copy sent to Thijs Kinkhorst <thijs@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: François Gannaz <francois.gannaz@free.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: phpmyadmin: Ignores LoginCookieValidity
Date: Thu, 18 Sep 2008 13:43:31 +0200
Package: phpmyadmin
Version: 4:2.11.8.1-1
Severity: normal

phpMyAdmin ignores the configuration parameters that extend the duration
of a session.

In my /et/phpmyadmin/config.inc.php:
$cfg['Servers'][$i]['LoginCookieValidity'] = 72000; // 20 h
$cfg['LoginCookieValidity'] = 72000; // 20 h

But I still get disconnected after 1800 s (30 minutes). I also tried to
change the 'LoginCookieStore' parameter, or to use another browser
(firefox 3, opera 9.52).

I could reproduce this on another lenny. I googled for it, and some
Ubuntu fellows seem to have the same problem:
http://ubuntuforums.org/showthread.php?t=743991

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (600, 'stable'), (300, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25.16-FG
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages phpmyadmin depends on:
ii  debconf [debconf-2.0]         1.5.22     Debian configuration management sy
ii  libapache2-mod-php5           5.2.6-3    server-side, HTML-embedded scripti
ii  perl                          5.10.0-13  Larry Wall's Practical Extraction 
ii  php5-mcrypt                   5.2.6-3    MCrypt module for php5
ii  php5-mysql                    5.2.6-3    MySQL module for php5

Versions of packages phpmyadmin recommends:
ii  apache2                       2.2.9-7    Apache HTTP Server metapackage
ii  apache2-mpm-prefork [httpd]   2.2.9-7    Apache HTTP Server - traditional n
ii  php5-gd                       5.2.6-3    GD module for php5

Versions of packages phpmyadmin suggests:
ii  mysql-server                  5.0.51a-12 MySQL database server (metapackage
ii  mysql-server-5.0 [mysql-serve 5.0.51a-12 MySQL database server binaries

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#499399; Package phpmyadmin. (Sat, 20 Sep 2008 12:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to François Gannaz <Francois.Gannaz@free.fr>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Sat, 20 Sep 2008 12:51:08 GMT) Full text and rfc822 format available.

Message #10 received at 499399@bugs.debian.org (full text, mbox):

From: François Gannaz <Francois.Gannaz@free.fr>
To: Thijs Kinkhorst <thijs@debian.org>, 499399@bugs.debian.org
Subject: Re: Bug#499399: phpmyadmin: Ignores LoginCookieValidity
Date: Sat, 20 Sep 2008 13:39:22 +0200
Hi Thijs

Le sam 20 sep 12:49, Thijs Kinkhorst a écrit :
> 
> Thank you for your report. I looked into this, but could confirm that setting 
> LoginCookieValidity in /etc/phpmyadmin/config.inc.php does indeed cause that 
> information to end up in the appropriate function.
> 
> Are you sure that your PHP configuration doesn't clean up the session before 
> the timeout happens? Check the session session.gc_maxlifetime parameter 
> in /etc/php5/*/php.ini, Could you check for me what value it has and if 
> raising the value (and restarting Apache) has any effect?

Thank you for taking time in investigating this. That's right, my global
php.ini sets this parameter to 1800.

But phpMyAdmin doesn't have to follow this default parameter. IIRC, it
can use ini_set() to locally change the value of session.gc_maxlifetime.
If it doesn't, it should at least mention this in its user
documentation.

If phpMyAdmin uses the default session parameters (lifetime, path,
handler...) then any php application running on the same server can
delete its sessions anytime. I still think it's a bug, or at least a
lacking feature.

Thanks again
--
François




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#499399; Package phpmyadmin. (Sat, 20 Sep 2008 13:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. (Sat, 20 Sep 2008 13:18:04 GMT) Full text and rfc822 format available.

Message #15 received at 499399@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: François Gannaz <francois.gannaz@free.fr>, 499399@bugs.debian.org
Subject: Re: Bug#499399: phpmyadmin: Ignores LoginCookieValidity
Date: Sat, 20 Sep 2008 12:49:35 +0200
[Message part 1 (text/plain, inline)]
Hi François,

On Thursday 18 September 2008 13:43, François Gannaz wrote:
> phpMyAdmin ignores the configuration parameters that extend the duration
> of a session.
>
> In my /et/phpmyadmin/config.inc.php:
> $cfg['Servers'][$i]['LoginCookieValidity'] = 72000; // 20 h
> $cfg['LoginCookieValidity'] = 72000; // 20 h
>
> But I still get disconnected after 1800 s (30 minutes). I also tried to
> change the 'LoginCookieStore' parameter, or to use another browser
> (firefox 3, opera 9.52).
>
> I could reproduce this on another lenny. I googled for it, and some
> Ubuntu fellows seem to have the same problem:
> http://ubuntuforums.org/showthread.php?t=743991

Thank you for your report. I looked into this, but could confirm that setting 
LoginCookieValidity in /etc/phpmyadmin/config.inc.php does indeed cause that 
information to end up in the appropriate function.

Are you sure that your PHP configuration doesn't clean up the session before 
the timeout happens? Check the session session.gc_maxlifetime parameter 
in /etc/php5/*/php.ini, Could you check for me what value it has and if 
raising the value (and restarting Apache) has any effect?


cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#499399; Package phpmyadmin. (Sat, 20 Sep 2008 13:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. (Sat, 20 Sep 2008 13:39:05 GMT) Full text and rfc822 format available.

Message #20 received at 499399@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: François Gannaz <Francois.Gannaz@free.fr>
Cc: 499399@bugs.debian.org
Subject: Re: Bug#499399: phpmyadmin: Ignores LoginCookieValidity
Date: Sat, 20 Sep 2008 14:49:38 +0200
[Message part 1 (text/plain, inline)]
On Saturday 20 September 2008 13:39, François Gannaz wrote:
> Thank you for taking time in investigating this. That's right, my global
> php.ini sets this parameter to 1800.
>
> But phpMyAdmin doesn't have to follow this default parameter. IIRC, it
> can use ini_set() to locally change the value of session.gc_maxlifetime.
> If it doesn't, it should at least mention this in its user
> documentation.

Right, I'll regard this as a documentation bug then, and I'll ask upstream to 
document that (or implement the additional feature of changing 
gc_maxlifetime).

> If phpMyAdmin uses the default session parameters (lifetime, path,
> handler...) then any php application running on the same server can
> delete its sessions anytime. I still think it's a bug, or at least a
> lacking feature.

That can happen in any shared hosting setup where all scripts run as the 
www-data user. This is nothing that phpMyAdmin should be solving; if you're 
concerned about that a suexec+fastcgi solution may be better suited for your 
needs.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to http://sf.net/support/tracker.php?aid=2127987. Request was from "Thijs Kinkhorst" <thijs@debian.org> to control@bugs.debian.org. (Thu, 25 Sep 2008 09:33:04 GMT) Full text and rfc822 format available.

Severity set to `wishlist' from `normal' Request was from "Thijs Kinkhorst" <thijs@debian.org> to control@bugs.debian.org. (Thu, 25 Sep 2008 09:33:06 GMT) Full text and rfc822 format available.

Tags added: fixed-upstream Request was from Michal Čihař <nijel@debian.org> to control@bugs.debian.org. (Sun, 30 Nov 2008 13:42:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#499399; Package phpmyadmin. (Tue, 21 Apr 2009 02:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gerry_priv <gerry.spm@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Tue, 21 Apr 2009 02:48:02 GMT) Full text and rfc822 format available.

Message #31 received at 499399@bugs.debian.org (full text, mbox):

From: Gerry_priv <gerry.spm@gmail.com>
To: 499399@bugs.debian.org
Subject: The solution
Date: Tue, 21 Apr 2009 10:38:48 +0800
[Message part 1 (text/plain, inline)]
Adding the line:
ini_set('session.gc_maxlifetime', $cfg['LoginCookieValidity']);

just below where I have set $cfg['LoginCookieValidity'] in the config file
fixes this issue for me.

--------
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499399
--------
[Message part 2 (text/html, inline)]

Reply sent to Michal Čihař <nijel@debian.org>:
You have taken responsibility. (Wed, 17 Jun 2009 17:24:24 GMT) Full text and rfc822 format available.

Notification sent to François Gannaz <francois.gannaz@free.fr>:
Bug acknowledged by developer. (Wed, 17 Jun 2009 17:24:25 GMT) Full text and rfc822 format available.

Message #36 received at 499399-close@bugs.debian.org (full text, mbox):

From: Michal Čihař <nijel@debian.org>
To: 499399-close@bugs.debian.org
Subject: Bug#499399: fixed in phpmyadmin 4:3.2.0-1
Date: Wed, 17 Jun 2009 15:36:52 +0000
Source: phpmyadmin
Source-Version: 4:3.2.0-1

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_3.2.0-1.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_3.2.0-1.diff.gz
phpmyadmin_3.2.0-1.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_3.2.0-1.dsc
phpmyadmin_3.2.0-1_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_3.2.0-1_all.deb
phpmyadmin_3.2.0.orig.tar.gz
  to pool/main/p/phpmyadmin/phpmyadmin_3.2.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 499399@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michal Čihař <nijel@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 17 Jun 2009 16:37:11 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:3.2.0-1
Distribution: unstable
Urgency: low
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Michal Čihař <nijel@debian.org>
Description: 
 phpmyadmin - MySQL web administration tool
Closes: 499399
Changes: 
 phpmyadmin (4:3.2.0-1) unstable; urgency=low
 .
   [ Thijs Kinkhorst ]
   * New upstream release.
     - Warns when gc_maxlifetime is less than cookie validity
       (closes: #499399).
 .
   [ Michal Čihař ]
   * Adjust patches to make use of new upstream vendor configuration.
   * Switch to quilt from dpatch.
   * Update to policy 3.8.2 (no changes needed).
Checksums-Sha1: 
 6d4421348d5d67974f6499ba63477b2c5fa3b391 1215 phpmyadmin_3.2.0-1.dsc
 d0929b89fd7fed05e6f98655942881d6d9925959 3640323 phpmyadmin_3.2.0.orig.tar.gz
 7c102ac475785c7747f9b18d8a756aa5eb135842 35342 phpmyadmin_3.2.0-1.diff.gz
 23dc98cf0fd6970f5b062c57106525620d4926a3 3656528 phpmyadmin_3.2.0-1_all.deb
Checksums-Sha256: 
 bc45dd83936c6e5793df598dea1c699d9b266f31e0ed277bc08076d636013c65 1215 phpmyadmin_3.2.0-1.dsc
 a5aff736dcb7e80552696af2bdbf7e92cf62e750780fdbb88f36f302961e9caa 3640323 phpmyadmin_3.2.0.orig.tar.gz
 7406e47fe51260472d6256ae1098f04048bcc6d11befb8f6781389de364e184c 35342 phpmyadmin_3.2.0-1.diff.gz
 fbe907221043b82a23b9d5ef9fbaf89fa8fb95ca1784246d90f24e42ada68789 3656528 phpmyadmin_3.2.0-1_all.deb
Files: 
 22b77f0a66e5fb484a750d31e8153498 1215 web extra phpmyadmin_3.2.0-1.dsc
 ee92ca3c2e7e978a8d032be84e47237d 3640323 web extra phpmyadmin_3.2.0.orig.tar.gz
 2889bf8502ceeead5b5c2a08e372a1b2 35342 web extra phpmyadmin_3.2.0-1.diff.gz
 dc7c716fb7bb1ac13fd430310c1bcacb 3656528 web extra phpmyadmin_3.2.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAko5AQ8ACgkQ3DVS6DbnVgQGjwCgkm0kfhhrVXI0NO63cCz1f3G/
id0AoIkIIg2aljlSK8GSHapX+ArM8Y3x
=gneq
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jul 2009 07:39:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:48:21 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.