[Phpmyadmin-devel] fallback login to http or cookie when config
Juergen Wind
jwind at gmx.de
Fri Mar 23 00:45:23 CET 2007
Marc Delisle wrote:
>
> Sebastian Mendel a écrit :
>> Hi,
>>
>> how about fall back to cookie or http auth if config auth fails?
>>
>> would make it more easy to run phpMyAdmin out of the box (at least for
>> localhost)
>>
>> but only if config is set to root without password
>>
>> if config_auth_fail, user == 'root', pw == ''
>> than switch to cookie auth
>> and display message about it
>>
>>
>
> I would prefer to remove "config" auth. Now that we require cookie
> support in browser, I don't see any advantage for "config" auth, only
> security issues because their user/password in the file, which requires
> protection on the web-server level and protection from spies on a shared
> server.
>
> Setup script already generates a blowfish secret.
>
> Our config sample uses "cookie" auth as default.
> Marc
>
>
objection again ;)
i have all my pma versions in a .htaccess protected folder and normally use
"config" auth
("cookie" only for testing/reproducing error reports).
But i suggest to use "http" in config.default insted of "config"
(cookie would be even better, but requires a unique "blowfish" secret).
just my 2 euro cent
--
View this message in context: http://www.nabble.com/fallback-login-to-http-or-cookie-when-config-fails--tf3446139.html#a9626546
Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
More information about the Developers
mailing list