18 May
2002
18 May
'02
8:47 a.m.
Hi Robin and List!
I've updated a bit you code, Robin, and put all the related functions
inside a distinct library. My first tests with the "http" authentication
mode are fine :)
But I've got a question: imagine that the script detects the user is
behind a proxy but can't get the true ip of this user. What should we
do in this case? (Currently, the script allow the user to log in).
BTW what do you think of adding some warning in the documentation
about this feature because it's a security mechanism for phpMyAmin
only and not for MySQL itself and I'm afraid some end-users would
be a bit confused else.
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
18 May
18 May
9:08 a.m.
----- Original Message -----
From: "Loïc" <loic-div(a)ifrance.com>
But I've got a question: imagine that the script
detects the user is
behind a proxy but can't get the true ip of this user. What should we
do in this case? (Currently, the script allow the user to log in).
We must change this. It would be to insecure if we'd let the user log in
without knowing its IP!
BTW what do you think of adding some warning in the
documentation
about this feature because it's a security mechanism for phpMyAmin
only and not for MySQL itself and I'm afraid some end-users would
be a bit confused else.
Of course we should do that.
And we'd also better add a warning about the proxy problem if we cannot
solve it.
Alexander
2:03 p.m.
On Sat, 18 May 2002, [iso-8859-1] Lo�c wrote:
I've updated a bit you code, Robin, and put all
the related functions
inside a distinct library. My first tests with the "http" authentication
mode are fine :)
Thanks.
But I've got a question: imagine that the script
detects the user is
behind a proxy but can't get the true ip of this user. What should we
do in this case? (Currently, the script allow the user to log in).
Actually, it
depends on what the order is set to. If it is set to
explicit, and we can't get the user's IP, then he is not allowed in.
Similarly, if they have a proper 'deny % from all' rule and they use order
as 'deny,allow', then the user that we can't get an IP for is not allowed
in either.
The only case I can find where we will not be able to get the true IP of
the user is if he is using one or more broken proxy servers that do not
correctly set HTTP headers.
BTW what do you think of adding some warning in the
documentation
about this feature because it's a security mechanism for phpMyAmin
only and not for MySQL itself and I'm afraid some end-users would
be a bit confused else.
Ok, I will document it this evening.
--
Robin Hugh Johnson
E-Mail : robbat2(a)orbis-terrarum.net
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ# : 30269588 or 41961639
8157
days inactive
8157
days old
2 comments
3 participants
participants (3)
-
Loïc -
Rabus -
Robin Johnson