[Phpmyadmin-devel] fallback login to http or cookie when config

Sebastian Mendel lists at sebastianmendel.de
Fri Mar 23 08:54:47 CET 2007

Juergen Wind schrieb:
> Marc Delisle wrote:
>> Sebastian Mendel a écrit :
>>> Hi,
>>> how about fall back to cookie or http auth if config auth fails?
>>> would make it more easy to run phpMyAdmin out of the box (at least for
>>> localhost)
>>> but only if config is set to root without password
>>> if config_auth_fail, user == 'root', pw == ''
>>> than switch to cookie auth
>>> and display message about it
>> I would prefer to remove "config" auth. Now that we require cookie 
>> support in browser, I don't see any advantage for "config" auth, only 
>> security issues because their user/password in the file, which requires 
>> protection on the web-server level and protection from spies on a shared 
>> server.
>> Setup script already generates a blowfish secret.
>> Our config sample uses "cookie" auth as default.
>> Marc
> objection again ;)
> i have all my pma versions in a .htaccess protected folder and normally use
> "config" auth
> ("cookie" only for testing/reproducing error reports).
> But i suggest to use "http" in config.default insted of "config" 
> (cookie would be even better, but requires a unique "blowfish" secret).

we could easily create a random 'secret', and store it in the session, 
it limits the cookie login time to session length - but this should not hurt

and it gives each individual, f.e. example on shared hoster, a unique 

it has the side effect that someone 'evil' getting somehow the 'secret' 
from the config and uses XSS to send stored cookies cannot decrypt the 


More information about the Developers mailing list