22 Mar
2007
22 Mar
'07
5:29 a.m.
Hi,
how about fall back to cookie or http auth if config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
--
Sebastian Mendel
www.sebastianmendel.de
22 Mar
22 Mar
5:49 a.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config fails?
Hi
On Thu, 22 Mar 2007 09:29:09 +0100
Sebastian Mendel <lists(a)sebastianmendel.de> wrote:
how about fall back to cookie or http auth if config
auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I already saw request on some generic fallback configuration scheme
somewhere, but I'm unable to find it right now...
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
6:27 a.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config fails?
Michal Čihař schrieb:
Hi
On Thu, 22 Mar 2007 09:29:09 +0100
Sebastian Mendel <lists(a)sebastianmendel.de> wrote:
but i am not sure ... it gives everybody the possibility for bruteforce
attacks on new installations ... or?
btw. we have no protection against bruteforce, or?
such a protection would require a shared place to store data: db, shmem or file
--
Sebastian Mendel
www.sebastianmendel.de
how about fall back to cookie or http auth if
config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I already saw request on some generic fallback configuration scheme
somewhere, but I'm unable to find it right now...
9:32 a.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config fails?
Sebastian Mendel schrieb:
Michal Čihař schrieb:
weird ... just forget about this ...
Hi
On Thu, 22 Mar 2007 09:29:09 +0100
Sebastian Mendel <lists(a)sebastianmendel.de> wrote:
but i am not sure ... it gives everybody the possibility for bruteforce
attacks on new installations ... or? how about fall back to cookie or http auth if
config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I already saw request on some generic fallback
configuration scheme
somewhere, but I'm unable to find it right now... btw. we have no protection against bruteforce, or?
such a protection would require a shared place to store data: db, shmem or file
--
Sebastian Mendel
www.sebastianmendel.de
8:56 p.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config fails?
Sebastian Mendel wrote:
Michal Čihař schrieb:
being granted all rights if there is no config.inc and if root has no pw set
in mysql is even worse, isn't it?
--
View this message in context:
http://www.nabble.com/fallback-login-to-http-or-cookie-when-config-fails--t…
Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
Hi
On Thu, 22 Mar 2007 09:29:09 +0100
Sebastian Mendel <lists(a)sebastianmendel.de> wrote:
but i am not sure ... it gives everybody the possibility for bruteforce
attacks on new installations ... or?
btw. we have no protection against bruteforce, or?
such a protection would require a shared place to store data: db, shmem or
file
--
Sebastian Mendel
how about fall back to cookie or http auth if
config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I already saw request on some generic fallback configuration scheme
somewhere, but I'm unable to find it right now...
23 Mar
23 Mar
4:47 a.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config fails?
Juergen Wind schrieb:
Sebastian Mendel wrote:
yes, thats why i wrote forget about it ...
--
Sebastian
Michal Čihař schrieb:
being granted all rights if there is no config.inc and if root has no pw set
in mysql is even worse, isn't it? Hi
On Thu, 22 Mar 2007 09:29:09 +0100
Sebastian Mendel <lists(a)sebastianmendel.de> wrote:
but i am not sure ... it
gives everybody the possibility for bruteforce
attacks on new installations ... or?
btw. we have no protection against bruteforce, or?
such a protection would require a shared place to store data: db, shmem or
file how about fall back to cookie or http auth if
config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I already saw request on some generic fallback
configuration scheme
somewhere, but I'm unable to find it right now... 
22 Mar
22 Mar
8:13 a.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config
Sebastian Mendel a écrit :
Hi,
how about fall back to cookie or http auth if config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I would prefer to remove "config" auth. Now that we require cookie
support in browser, I don't see any advantage for "config" auth, only
security issues because their user/password in the file, which requires
protection on the web-server level and protection from spies on a shared
server.
Setup script already generates a blowfish secret.
Our config sample uses "cookie" auth as default.
Marc
9:34 a.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config
Marc Delisle schrieb:
Sebastian Mendel a écrit :
i always use config!
--
Sebastian Mendel
www.sebastianmendel.de
Hi,
how about fall back to cookie or http auth if config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I would prefer to remove "config" auth.
8:45 p.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config
Marc Delisle wrote:
Sebastian Mendel a écrit :
objection again ;)
i have all my pma versions in a .htaccess protected folder and normally use
"config" auth
("cookie" only for testing/reproducing error reports).
But i suggest to use "http" in config.default insted of "config"
(cookie would be even better, but requires a unique "blowfish" secret).
just my 2 euro cent
--
View this message in context:
http://www.nabble.com/fallback-login-to-http-or-cookie-when-config-fails--t…
Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
Hi,
how about fall back to cookie or http auth if config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I would prefer to remove "config" auth. Now that we require cookie
support in browser, I don't see any advantage for "config" auth, only
security issues because their user/password in the file, which requires
protection on the web-server level and protection from spies on a shared
server.
Setup script already generates a blowfish secret.
Our config sample uses "cookie" auth as default.
Marc
23 Mar
23 Mar
4:54 a.m.
New subject: [Phpmyadmin-devel] fallback login to http or cookie when config
Juergen Wind schrieb:
Marc Delisle wrote:
we could easily create a random 'secret', and store it in the session,
it limits the cookie login time to session length - but this should not hurt
and it gives each individual, f.e. example on shared hoster, a unique
'secret'
it has the side effect that someone 'evil' getting somehow the 'secret'
from the config and uses XSS to send stored cookies cannot decrypt the
cookie
--
Sebastian
Sebastian Mendel a écrit :
objection again ;)
i have all my pma versions in a .htaccess protected folder and normally use
"config" auth
("cookie" only for testing/reproducing error reports).
But i suggest to use "http" in config.default insted of "config"
(cookie would be even better, but requires a unique "blowfish" secret). Hi,
how about fall back to cookie or http auth if config auth fails?
would make it more easy to run phpMyAdmin out of the box (at least for
localhost)
but only if config is set to root without password
if config_auth_fail, user == 'root', pw == ''
than switch to cookie auth
and display message about it
I would prefer to remove "config" auth. Now that we require cookie
support in browser, I don't see any advantage for "config" auth, only
security issues because their user/password in the file, which requires
protection on the web-server level and protection from spies on a shared
server.
Setup script already generates a blowfish secret.
Our config sample uses "cookie" auth as default.
Marc
6378
days inactive
6379
days old
9 comments
4 participants
participants (4)
-
Juergen Wind -
Marc Delisle -
Michal Čihař -
Sebastian Mendel