phpMyAdmin error: Cannot start session without errors if httponly/secure cookies are enabled

Question

I just updates phpmyadmin on my LAMP server on latest Debian wheezy to the newest version and now I am getting the following error when I try to log in using the cookie auth method:

phpMyAdmin - Error
Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly.

Logging in using the auth method http works fine. SSL is disabled at the moment for both cases. Googling about this problem for two days did not help. The most-mentioned problem regarding missing access rights to the cookies' save path does not apply here. Cookies are written to /var/lib/php5, so all permissions seem to be there. Also setting them mannually to chmod 777 www-data:www-data does not work.

No errors are logged into the apache or php logfile when it fails to log me in. Other errors are being logged (I created a test.php with broken syntax) so the logging itself works.

EDIT2: I found something: The problem lies within safe/secure cookies. Disabling

Header set Set-Cookie HttpOnly;Secure

solves the problem. But disabling this is no good solution. My /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini files both include the lines

session.cookie_httponly = true
session.cookie_secure = true

and a php -i |grep cookie shows that both options are enabled.

EDIT3: D'oh. The problem was that I enabled the cookie flag secure (=cookies may only be sent via a secure connection) but disabled SSL. So no cookies could be sent...

Answer 1

This occur because phpmyadmin can't write in folder defined in php configuration as session.save_path.

To fix the issue do:

• Do php -i | grep session.save_path to find the folder used for sessions. In my case I had as output: session.save_path => /var/lib/php/session => /var/lib/php/session

• Make sure that the folder defined in session.save_path exists. In my case I did mkdir -p /var/lib/php/session

• Make sure that the folder writeble by apache. In my case I did:

  • sudo setfacl -R -m u:www-data:rwX /var/lib/php/session
  • sudo setfacl -dR -m u:www-data:rwX /var/lib/php/session
  • Do sudo chown -R www-data /var/lib/php/session if setfacl is not available.

Answer 2

After testing this for one day, it seems that I figured out the answer:

The problem was that I enabled the cookie flag "Secure" (=cookies may only be sent via a secure connection) but disabled SSL. So no cookies could be sent and phpmyadmin (pma) kind of breaks.

Disabling the secure flag solved the problem as enabling ssl did, too.

This also solve another problem: The setup script of pma (normally reachable at yourdomain/phpmyadmin/setup/) did not work as expected: The interface itself showed up but it was not possible to add servers or save the manually changed configuration or to download/upload any files.