Ad Widget

**Hamardaban** · 03-12-2020, 20:17

The solution to that problem is written:
2019 Dec 05 13:42
solved. problem was in cookies settings in httpd.conf (in attachment).

in version 5.2 there were changes in session storage (Zabbix session data is now stored in a user cookie.) perhaps your problems are related to this.
Recommendations for elimination standard:

Check frontend can communicate with database without errors on the db side;
simplify apache and php configuration and check frontend, see apache and php log for error.
check php.ini the presence of obsolete parameters. remove.
clear browser cache.

**FrankB** · 03-12-2020, 21:18

I've seen the post, but I dont' know what to do

in httpd thes modules are disabled - is this correct ?

#LoadModule session_module modules/mod_session.so
#LoadModule session_cookie_module modules/mod_session_cookie.so
#LoadModule session_crypto_module modules/mod_session_crypto.so
#LoadModule session_dbd_module modules/mod_session_dbd.so

and in zabbix_80

Header unset X-Frame-Options
Header always append X-Frame-Options SAMEORIGIN
Header unset Strict-Transport-Security
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header edit Set-Cookie "(?i)^((?

?!;\s?Secure).)+)$" "$1; HttpOnly; Secure"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff

RequestReadTimeout header=10-15,MinRate=500

Should i add this to teh apache2 conf of zabbix ?

**FrankB** · 05-12-2020, 21:40

Maybe it's not a session problem, but something else:
It's zabbix 5.2.2 upgrade from 4.02

i login as Admin ( i set Debug mode in usergroup of Guess group !) then i get debug button, when i set debug=1 in Zabbox Administrators Group where Admin is member, i don't get the debug Button

From debug ist seems that i am Admin ID=100100000000001 but alle permissions and settings are from User Guest

4. user.get [CDashboardHelper.php:36]

Parameters:
Array ( [output] => Array ( [0] => name [1] => surname [2] => alias ) [userids] => 100100000000001 )

Result:
Array ( [0] => Array ( [userid] => 100100000000001 [name] => Zabbix [surname] => Administrator [alias] => Admin ) )

and later in the debug Window:

SQL (0.000375): SELECT NULL FROM users u WHERE u.userid=100100000000002 FOR UPDATE zabbix.php:22 → require_once() → ZBase->run() → CViewHelper::loadSidebarMode() → CProfile::get() → CProfile::init() → DBselect() in include/classes/user/CProfile.php:37 SQL (6.3E-5): SELECT type,value_id,value_int,value_str,idx2 FROM profiles WHERE userid=100100000000002 AND idx='web.sidebar.mode' zabbix.php:22 → require_once() → ZBase->run() → CViewHelper::loadSidebarMode() → CProfile::get() → DBselect() in include/classes/user/CProfile.php:179

and more of sql

userid: 100100000000002 ist Guest

Maybe somthin else has gone wrong with the update ?

**FrankB** · 06-12-2020, 23:04

additional Information: zabbix 5.2.2

i tried a new database and run schema, images and data
then i run the ui setup again -> login is not possible ! error "you have to login"

then :
dropped database
installed 5.0.6 and copied ui
created new database
run schema, images and data from 5.0.6
then i run the ui setup again -> and hurray => everything is working as expected, login possible

the only thing i changed is database and php frontend, nothing else, no php.ini, no apache.conf

so i think there must be a problem with zabbix 5.2.2 and debian 9 and 10, i tried php 7.3 and 7.4 with same problem

or if it's a configuration problem, maybe someone can post his working apache2 and php config ?

,

**raoel** · 07-12-2020, 15:15

I'm having the same thing ; upgrading from 5.0.4 and I've tried:
- disabling and enabling all apache modules
- check apache / php / zabbix_server logs: nothing found
- php connection to mysql is working (I've simplified the configuration as requested)
- I used a clean browser (installed a seperate browser without plugins and no history)
- when I check the database I can see sessions being created for both myself and guest and I see the guest screen, so I'm guessing my session is created successfully but then I get a guest-session....

so sounds like a clean install is the way to go?

If you want to help me, can you compare:
- enabled modules
- apache configuration
- php.ini
- zabbix.conf.php
? That would be great :-D

I'll put my config here tomorrow, because right now it's the end of the day :-)

fun fact; when I connect through the API everything is working fine. I can authenticate and then get data.

**FrankB** · 08-12-2020, 20:57

Hi,
great, that someone else has the same problem -;-)

I don't think a fresh Install will do - i tried a lof of settings and the settings from ZBX-16985
but nothing has worked - and there's no hint in documentation to do a very special settting in apache2 conf oder somewhere else

At the Moment i use 5.06 and frontend works with login, but i noticed a little change.

Every time i use a filter that results in more than one page e.g. in config hosts and i try to go to the second page, my filter settings are gone. (tried several browsers)

Did you notice that behaviour, too ? It also seems to be a cookie problem.

**raoel** · 14-12-2020, 14:43

hm, I did not experience the last problem.. (I'm using 5.0.4)

special circumstances:
- we used to have LDAP authentication
- we moved to SAML authentication
(I disabled both before the upgrade)

Code:

Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)

zabbix.conf.php:

Code:

<?php
// Zabbix GUI configuration file.
global $DB;

$DB['TYPE'] = 'MYSQL';
$DB['SERVER'] = 'localhost';
// $DB['PORT'] = '3306';
$DB['DATABASE'] = 'zabbix';
$DB['USER'] = 'zabbix';
$DB['PASSWORD'] = '<REMOVED>';


// required for zabbix 5.0 -> https://www.zabbix.com/forum/zabbix-troubleshooting-and-problems/401051-5-0-upgrade-database-history-tables-upgraded-no-even-after-double-sql
$DB['DOUBLE_IEEE754'] = 'true';

// Schema name. Used for IBM DB2 and PostgreSQL.
// $DB['SCHEMA'] = '';

$ZBX_SERVER = '168.119.237.148';
$ZBX_SERVER_PORT = '10051';
$ZBX_SERVER_NAME = '';

$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG;

$SSO['SP_KEY'] = 'conf/certs/sp.key'; // Path to your private key.
$SSO['SP_CERT'] = 'conf/certs/sp.crt'; // Path to your public key.
$SSO['IDP_CERT'] = 'conf/certs/idp.crt'; // Path to IdP public key.

?>

We used to have this in apache:
`Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure` but I disabled it.

I'm looking into how to upload my php.ini because it's too long to quote but I cannot add it as attachment, but I don't think we're doing anything non-standard.

**Alojalia** · 15-12-2020, 03:24

Originally posted by FrankB

Hi,
great, that someone else has the same problem -;-)

I don't think a fresh Install will do - i tried a lof of settings and the settings from ZBX-16985
but nothing has worked - and there's no hint in documentation to do a very special settting in apache2 conf oder somewhere else

At the Moment i use 5.06 and frontend works with login, but i noticed a little change.

Every time i use a filter that results in more than one page e.g. in config hosts and i try to go to the second page, my filter settings are gone. (tried several browsers)

Did you notice that behaviour, too ? It also seems to be a cookie problem.

You are not alone, i think we have the same problem (since we updated from 5.0 to 5.2), every time we access the frontend, we need to enter the credentials again, completely ignore the option to remember for 30 days, tested in several installations, different servers, different browsers and always the same problem.

In theory this is fixed in the next version, 5.2.3: https://support.zabbix.com/browse/ZBX-18686

Note: We have tested the changes in the two files mentioned in the bug fixed and now it works correctly.

Zabbix / Zabbix / 78b5ea52631 - ZABBIX GIT

https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/78b5ea52631cfeb4ee6659295d78a198d9948746

**raoel** · 15-12-2020, 10:27

I made those 2 changes to the code....
I would've expected the "Remember me for 30 days" default to be changed, but it is not (not even after restarting apache).

Also it does not fix our issue :-/ Also your description is different: we cannot log in at all, while your sessions become invalidated because of their short TTL?

**iand999** · 16-12-2020, 15:08

I'm seeing this also after upgrading from 4.4.7 to 5.2.2; no Configuration option when logging in as Admin; behaves like guest mode.
(platform: fc33, mariadb 10.4.17,| php-7.4.13)

Noticed these in the php-fpm log (/var/log/php-fpm/www-error.log):

[10-Dec-2020 07:36:28 UTC] PHP Warning: Unknown: Cannot call session save handler in a recursive manner in Unknown on line 0
[10-Dec-2020 07:41:05 UTC] PHP Fatal error: Uncaught Exception: Headers already sent. in /usr/local/share/zabbix/include/classes/helpers/CCookieHelper.php:68
Stack trace:
#0 /usr/local/share/zabbix/include/classes/core/CCookieSession.php(126): CCookieHelper::set()
#1 [internal function]: CCookieSession->write()
#2 {main}

After much debugging to find out where the headers were being written before the cookie was being added to them, this error is occurring somewhere in the exit handlers as called by exit in redirect().

Alas I'm not sure how to fix this; not a php/session expert by any means.

**raoel** · 16-12-2020, 16:55

I'm kinda jealous because I do not even have errors :-/

I checked if errors were logged by changing some php and throw an error and that works, so I'm sure there's no errors anywhere...

**iand999** · 17-12-2020, 00:54

A nasty nasty workaround I just did so I could again configure my zabbix was to give guest admin privs using mysql.

MariaDB [zabbix]> update users set roleid=3 where userid=2;
(roleid was 4 originally but I think the upgrade didn't set all the roleid's correctly; I had to tweak some)

I'd rather not roll back to 4.7.7; it had other issues... eg: fping on fc33 isn't compatible with it.

Also to get the ability to do error_log() type debugging I had to tweak php.ini

error_reporting = E_ALL

and in /etc/php-fpm.d/www.conf I enabled this:

catch_workers_output = yes

**FrankB** · 17-12-2020, 15:09

Alojalia This is not exactly the same = like raoel i cannot login as admin or any other user. Username and Password are checked, so when i input a wrong passwort, i can not login. When i login as any user there's an immediately fallback to guest.
I proofed it by changing theme or like raoel the permissions of the guest user .
I test it with different configurations in a virtualmin environment (tried php 7.0,7.3 and 7.4) and with fresh databases and my updated old ones. i tried php-fpm and fcgi.

Can someone confirm and test this behaviour that i have with 5.06:

Every time i use a filter that results in more than one page e.g. in config hosts and i try to go to the second page, my filter settings are gone. (tried several browsers)

Try: set a filter where you get more than 1 resultpage e.g. and turn to the next page -> does the filter change or does the results stay with the filter
in my frontend i have e.g. 3 resultpages with filter and 10 pages without filter - when i turn to page 2, result is again 10 pages

**raoel** · 29-12-2020, 14:03

Looks like it's related to "session_key". I changed it from empty into a 32-hexadecimal string in the table "config" on the SQL-server and now I can log in ....

According to the manual:

Note: This property has been removed since Zabbix 5.2.3.

So I'm wondering why this is an issue.

(and this took me a long time!!)

in the table 'config' there is a single record, I think the upgrade-code is assuming configid=1.
However, our configid = 100100000000001

I guess it's a bug? I don't know how our configid got that number, our instance has been running on the same dataset since 2.X

FrankB want to check if you have the same?

Ad Widget

Zabbix 5.x after upgrade Login to frontend is always guest

Zabbix 5.x after upgrade Login to frontend is always guest

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment