12 Aug
2002
12 Aug
'02
3:49 a.m.
2. We should deprecate the user/password standard
login, or add a bit of
technology to it. We should throw up a login page of our own, that should
authenticate against a user/password pair in an array inside the
configuration file. It might be possible to keep the automatic login of
user/password, but it should not be enabled by default, for security.
And the configuration option to turn that unsecure method back on should
have huge warnings around it.
i agree there, actually i was rather shocked to read an article about
phpMyAdmin in the german 'Linux Magazine' last week where they talked about
how to configure it and said, that usually it is ok to leave the standard
entry of 'root' (without a password) there! So that guy writing the article
seems to think it is normal to set up a MySQL Server without giving a
password for root and he understands our config.inc.php3 to suggest it
should be like that... well i think i'll send them a readers letter but also
we should change the doku and the config.inc. to more explicitely propose
using of http or cookie protection.
regards
mike