On Wednesday 3 September 2008 11:53, Michal Čihař wrote:
- Disallow logging in as root without password unless explicitly
allowed in our config file.
Make cookie the default authentication method.
If no Blowfish secret is set, generate one on the fly and store it
in the session - it should work for login, but it won't allow to recall username on next login, but if user wants this feature, he needs to set the secret in config.
Opinions to make such change in trunk?
I'd be in favour. Especially the root-without-password issue seems to pop up from time to time, and I think that the number of users that willingly want to open up access for root+"" is very small. You could add an extra check if REMOTE_ADDR != 127.0.0.1, so localhost,root,"" is still possible as it would be with the mysql command line client, but any truly remote access isn't.
cheers, Thijs