[Phpmyadmin-devel] about arbitrary auth_type
Rabus
derrabus at gmx.de
Thu Sep 11 09:08:13 CEST 2003
Hi Marc, Michal & list,
Marc Delisle wrote:
>
> Michal Cihar a écrit:
>
> > There should still be posibility to disable this, to keep
> > iterface as simple as possible (eg. with just one server).
> >
> > Michal
>
> Michal,
>
> well, if you like. But I think that having this:
> --------------------
>
> Server choice: [(drop-down)]
> or [enter server name]
> --------------------
>
> would not clutter the interface too much. Plus it opens the
> eyes of users about this feature if we always show it, or if
> we show it by default.
>
> Currently if we have just one server, we even don't show it
> on the login page, and I think that showing it would be an
> improvement.
>
> Also, the auth_type 'arbitrary' somehow hides the fact that
> the mode is really cookie.
>
It has to be possible to disable the arbitary server mode. Not for cosmetic
reasons: for security reasons!
Let's imagin a small company network with two servers: server 1 and server
2, both running the MySQL server software.
Server 1 is connected to the internet permanently. The MySQL database on
server 1 sometimes has to be accessed from outside the network. This is why
the sysadmin installed phpMyAdmin on server 1.
The MySQL server on server 2 contains serious data and may not be accessible
from the internet. Nevertheless, this database powers some php scripts
running on server 1, so server 1 has to be able to connect to server 2's
MySQL database.
In this case, phpMyAdmin would be a security hole, if the arbitrary server
mode wouldn't be configurable.
In addition to this, an internet user would not only be able to access
server 1 and 2, he would also be able to use the owner's bandwidth to access
thousands of different servers all over the world.
Regards,
Alexader
More information about the Developers
mailing list