Asked  9 Months ago    Answers:  5   Viewed   88 times

I installed phpMyAdmin 4.0.4.1 on my local develop enviroment, I set auth_type to config. Also I provide authentication requirements by this settings:

$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['password'] = 'somepassword';

But after a while that it is idle, if I click on any link of it , it shows me an error token mismatch, Is there any way that I increase its TTL? or make it alive permanently?

enter image description here

Above picture shows error.

 Answers

27

I solve this annoying problem by following instructions below:

  1. open /etc/php5/apache2/php.ini
  2. find ;session.save_path = "/tmp", this line may look also like this ;session.save_path = "/var/lib/php5"
  3. remove first semicolon from this line
  4. restart apache by executing sudo service apache2 restart

FYI: I work under Ubuntu 12.04 with apache2, php5, phpMyAdmin 4.0.5 so for different systems and servers file path may be a little different.

In case of any troubles check if directory from step 2. is writable for server.

Good luck.

Wednesday, March 31, 2021
 
John_BSDthos
answered 9 Months ago
63

Try this. for Form.

<form method="post" action="{{route('f.submit')}}">
{{csrf_field()}}

<input class="form-control" type="text" name="fname">
<input type="submit" name="submit" value="Create">

In Controller.

public function formSubmit(Request $request)
{
  $request->all();
}
Wednesday, March 31, 2021
 
williamcarswell
answered 9 Months ago
29

As it turns out, @hakre was on the right path, but the change didn't solve the problem. The problem is that Plesk directly assigns *.php files to be processed through php_fpm. In the Virtual Host Apache configuration file we have...

<Files ~ (.php$)>
    SetHandler proxy:unix:///var/www/vhosts/system/wwphelps.com/php-fpm.sock|fcgi://127.0.0.1:9000
</Files>

This is how Plesk is specifically attaching one version of PHP over another by domain name. And anything that doesn't fall into this rule is interpreted by Apache's global rules, which for me are looking at a different install of PHP. (Why Plesk doesn't have a global override to point at their own PHP installs is a bit of a wonder, but I suspect this is a bug they've never encountered before.) So, logically, we'd need only add for each file we want to process without the .php suffix...

<Files action1>
    SetHandler proxy:unix:///var/www/vhosts/system/wwphelps.com/php-fpm.sock|fcgi://127.0.0.1:9000
</Files>

It is true that you need to do this, but for me it didn't work as advertised. My web page simply said "Access Denied" and my error files pointed me to FPM's security.limit_extensions paramter. In other words, despite specifically identifying a file I wanted to use without a suffix, FPM rejected it anyway. Here's where I got lazy. I reset the variable to nothing. In Plesk that's done by creating or modifying a php.ini file inside the domain's conf directory and adding (including the header if it's not already there)...

[php-fpm-pool-settings]
security.limit_extensions =

Restart Apache and Bob's your uncle.

According to a really rapid Google search, the ability to directly modify FPM parameters from inside Plesk is still up for debate.

Now, this comes with a price. From the perspective of the FPM socket, suddenly any file in you're web root "could" be executed as a PHP file, including images customers upload and you blindly put in your [ROOT]/images directory. You're partially saved by the fact that unless you've told Apache otherwise, just any old file won't be interpreted as a PHP file. However, you'd be better protected if all files you upload through your site are (a) thoroughly vetted to be sure they are what they claim to be and (b) are either saved outside the web root or in a DB so that nobody can "execute" them by referring to them directly.

Finally, there ought to be a way to override in a config file those files that I want to intentionally violate security.limit_extensions. Unfortunately, FPM and Apache don't appear to talk to each other, otherwise the use of the block would completely override security.limit_extensions. For all I know there's a way to do it. I'd be curious to know, but I have a working solution, so I'm back to work.

Friday, May 28, 2021
 
employeegts
answered 7 Months ago
94

The problem:

session_start() relies on $_COOKIE[session_name()], so, if you edit the cookie value to something like #$#$FDSFSR#"#"$"#$" or simply empty it (not delete the cookie) and refresh a page with your code:

if (!session_id()) {
    session_start();
}

The following warning is generated:

PHP Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/username/public_html/session_start.php on line 7

This happens because php is checking if session_id() exists and, in fact, it exists, but contains illegal characters not allowed as session_id name.

A valid session id may contain only digits, letters A to Z (both upper and lower case), comma and dash ([-,a-zA-Z0-9]) between 1 and 128 characters.


My solution:

Check if $_COOKIE[session_name()] is set and contains a valid session_id prior to session_start(), otherwise, delete the session cookie and only then session_start(), something like:

function safeSession() {
    if (isset($_COOKIE[session_name()]) AND preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[session_name()])) {
        session_start();
    } elseif (isset($_COOKIE[session_name()])) {
        unset($_COOKIE[session_name()]);
        session_start(); 
    } else {
        session_start(); 
    }
}

start the session:

safeSession();

NOTES:

1 - session_name is defined on your php.ini as session.name = SOMETHING (default is PHPSESSID), so, you may be looking for a cookie matching session.name. You can use the session_name() function to retrieve it.

2 - Session cookie manipulation can be used by hackers to dump information from your server (username and path) if ini_set('display_errors', 1); is set.

3 - session_regenerate_id(true) works but, because it checks the current session_id prior to assign a new one, generates warnings.

4 - I've tested the code with several invalid session names and no errors or warnings were generated, everything worked and intended.


References:

session.c Source Code

Saturday, May 29, 2021
 
SpiderLinked
answered 7 Months ago
10

You need to pass timestamp in milliseconds:

long test_timestamp = 1499070300000L;
LocalDateTime triggerTime =
        LocalDateTime.ofInstant(Instant.ofEpochMilli(test_timestamp), 
                                TimeZone.getDefault().toZoneId());  

System.out.println(triggerTime);

Result:

2017-07-03T10:25

Or use ofEpochSecond instead:

long test_timestamp = 1499070300L;
LocalDateTime triggerTime =
       LocalDateTime.ofInstant(Instant.ofEpochSecond(test_timestamp),
                               TimeZone.getDefault().toZoneId());   

System.out.println(triggerTime);

Result:

2017-07-03T10:25
Sunday, August 1, 2021
 
maelgrove
answered 4 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 
Share