Hide Forgot
Description of problem: After updating from 4.0.10.16 to 4.0.10.17, with an existing/working configuration, users can no longer login. Sometimes, the first user can authenticate OK, but additional users cannot login. It appears to use the username of the first user who logged in no matter what is specified in the username prompt. The problem seems to be related to a long blowfish_secret value. Version-Release number of selected component (if applicable): 4.0.10.17-2 How reproducible: always Steps to Reproduce: 1. Start with CentOS6.8.x (we started with a Digital Ocean droplet) 2. yum -y install epel-release 3. yum -y install mysql-server mysql phpMyAdmin-4.0.10.17-2 httpd php (yes, httpd and php) 4. service httpd start 5. service mysqld start 6. mysql_secure_installation (set a root password, remove anonymous, etc (accept defaults)) 7. Create Test Users a. mysql -p b. create database pmatest; c. grant all on pmatest.* to user1@'%' identified by 'User1Password!'; d. grant all on pmatest.* to user2@'%' identified by 'User2Password!'; e. quit; 8. IF REMOTE FROM SERVER: modify /etc/httpd/conf.d/phpMyAdmin.conf a. add "Allow from w.x.y.z" (your IP) lines at each of the "Allow from 127.0.0.1" entries b. service httpd restart 9. EDIT: /etc/phpMyAdmin/config.inc.php a. set $cfg['blowfish_secret'] to a randomly generated 256 character password 10. Visit http://SERVER_ADDRESS/phpMyAdmin a. login as user1 b. LOGOUT (FAIL) c. Open incognito window (or different browser, or clear domain cookies), and browse to the /phpMyAdmin URL again d. login as user2 (FAIL?) (NOTE mysql server error logs will show the first user) 11. For verification that it worked before. a. yum downgrade phpMyAdmin (ensure it is 4.0.10.16) b. repeat step 10 above, it works! Actual results: After the first user logs in, logout fails, and if you open a new incognito window or clear domain cookies, and try to login again, then it gets strange. * If the second user's login credentials are correct, then for some reason you get a server error message: "Access denied for user 'user1'@'127.0.0.1' (using password: YES)" * If the second user's password is incorrect, then you get the expected error message on the server: "Access denied for user 'user2'@'127.0.0.1' (using password: YES)" Expected results: * Logout should work * Login with valid credentials should work Additional info: We have found that the problem was with the $cfg['blowfish_secret'] value. On our servers, that was set to a 256 character alphanumeric string. The documentation says: "The secret should be 32 characters long. Using shorter will lead to weaker security of encrypted cookies, using longer will cause no harm." ... we interpereted that as "longer is better" so we used 256 characters. Our configuration worked up to 4.0.10.16, but after the 4.0.10.17 release we had issues. XREF: https://serverfault.com/questions/805488/phpmyadmin-authentication-issues-on-upgrade-to-phpmyadmin-4-0-10-17-2-el6
WORKAROUND: Change the blowfish_secret to 32 characters.
After spending now some time trying track this down...are you able to reproduce this issue with a pristine phpMyAdmin 4.0.10.17 as well? So grabbing the tarball from upstream rather the RPM package from EPEL?
Hi Robert, Sorry for the massive delay in response (thanks Google for "categorizing" my Bugzilla emails as updates). I no longer actively work for the client that had this issue. It shouldn't be too hard, though. Just set $cfg['blowfish_secret'] to 256 characters random alphanumeric. :) I don't even have any more MySQL servers to test it on (at the moment). If no one else picks this up, maybe it can just live as the documentation Tommy