[Phpmyadmin-devel] fallback login to http or cookie when config

Juergen Wind jwind at gmx.de
Fri Mar 23 00:45:23 CET 2007

Marc Delisle wrote:
> Sebastian Mendel a écrit :
>> Hi,
>> how about fall back to cookie or http auth if config auth fails?
>> would make it more easy to run phpMyAdmin out of the box (at least for
>> localhost)
>> but only if config is set to root without password
>> if config_auth_fail, user == 'root', pw == ''
>> than switch to cookie auth
>> and display message about it
> I would prefer to remove "config" auth. Now that we require cookie 
> support in browser, I don't see any advantage for "config" auth, only 
> security issues because their user/password in the file, which requires 
> protection on the web-server level and protection from spies on a shared 
> server.
> Setup script already generates a blowfish secret.
> Our config sample uses "cookie" auth as default.
> Marc

objection again ;)
i have all my pma versions in a .htaccess protected folder and normally use
"config" auth
("cookie" only for testing/reproducing error reports).
But i suggest to use "http" in config.default insted of "config" 
(cookie would be even better, but requires a unique "blowfish" secret).

just my 2 euro cent

View this message in context: http://www.nabble.com/fallback-login-to-http-or-cookie-when-config-fails--tf3446139.html#a9626546
Sent from the phpmyadmin-devel mailing list archive at Nabble.com.

More information about the Developers mailing list