- We should deprecate the user/password standard login, or add a bit of
technology to it. We should throw up a login page of our own, that should authenticate against a user/password pair in an array inside the configuration file. It might be possible to keep the automatic login of user/password, but it should not be enabled by default, for security. And the configuration option to turn that unsecure method back on should have huge warnings around it.
i agree there, actually i was rather shocked to read an article about phpMyAdmin in the german 'Linux Magazine' last week where they talked about how to configure it and said, that usually it is ok to leave the standard entry of 'root' (without a password) there! So that guy writing the article seems to think it is normal to set up a MySQL Server without giving a password for root and he understands our config.inc.php3 to suggest it should be like that... well i think i'll send them a readers letter but also we should change the doku and the config.inc. to more explicitely propose using of http or cookie protection.
regards
mike