[Phpmyadmin-devel] Fwd: fallback login to http or cookie when config

[Marc Delisle]

Isaac Bennetch a écrit :
> Greetings!
> 
> On 3/22/07, Marc Delisle <Marc.Delisle at cegepsherbrooke.qc.ca> wrote:
>> I would prefer to remove "config" auth.
> 
> While I don't object, some users may feel alienated if this change
> isn't handled carefully. There are no doubt plenty of users who enjoy
> the lack of authentication (many users are home users on a secured
> intranet) that comes with config, and some who use .htaccess with
> 'config' to secure their systems (don't ask me why, but they like it
> that way). I'm just saying that some users may be offended if the
> feature silently disappears. Perhaps a poll on phpmyadmin.net or at
> least a comment soliciting email feedback is warranted (perhaps not).
> 
> Just my thoughts, hope you all have a great day!
> ~isaac

It's true that they might be offended but we have to balance that, with 
the problems this "mis-feature" brings.

Let's say we keep this feature and add some warnings.

We already display a message when a user is logged with config auth, 
root and no password. We could change/extend this message.

- the message is not comprehensive because a privileged user might have 
a login name different than "root"
- it might be a bad idea to let non-priv users in without any password
- we could display that "config" auth is not recommended, pointing to a 
FAQ entry

Marc