[Phpmyadmin-devel] Re: IP Allow/Deny code

Robin Johnson robbat2 at fermi.orbis-terrarum.net
Sat May 18 11:03:03 CEST 2002


On Sat, 18 May 2002, [iso-8859-1] Loïc wrote:
> I've updated a bit you code, Robin, and put all the related functions
> inside a distinct library. My first tests with the "http" authentication
> mode are fine :)
Thanks.

> But I've got a question: imagine that the script detects the user is
> behind a proxy but can't get the true ip of this user. What should we
> do in this case? (Currently, the script allow the user to log in).
Actually, it depends on what the order is set to.  If it is set to
explicit, and we can't get the user's IP, then he is not allowed in.
Similarly, if they have a proper 'deny % from all' rule and they use order
as 'deny,allow', then the user that we can't get an IP for is not allowed
in either.

The only case I can find where we will not be able to get the true IP of
the user is if he is using one or more broken proxy servers that do not
correctly set HTTP headers.

> BTW what do you think of adding some warning in the documentation
> about this feature because it's a security mechanism for phpMyAmin
> only and not for MySQL itself and I'm afraid some end-users would
> be a bit confused else.
Ok, I will document it this evening.

-- 
Robin Hugh Johnson
E-Mail     : robbat2 at orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639





More information about the Developers mailing list