[Phpmyadmin-devel] fallback login to http or cookie when config

Sebastian Mendel lists at sebastianmendel.de
Fri Mar 23 08:54:47 CET 2007


Juergen Wind schrieb:
> 
> 
> Marc Delisle wrote:
>> Sebastian Mendel a écrit :
>>> Hi,
>>>
>>> how about fall back to cookie or http auth if config auth fails?
>>>
>>> would make it more easy to run phpMyAdmin out of the box (at least for
>>> localhost)
>>>
>>> but only if config is set to root without password
>>>
>>> if config_auth_fail, user == 'root', pw == ''
>>> than switch to cookie auth
>>> and display message about it
>>
>> I would prefer to remove "config" auth. Now that we require cookie 
>> support in browser, I don't see any advantage for "config" auth, only 
>> security issues because their user/password in the file, which requires 
>> protection on the web-server level and protection from spies on a shared 
>> server.
>>
>> Setup script already generates a blowfish secret.
>>
>> Our config sample uses "cookie" auth as default.
>> Marc
> 
> objection again ;)
> i have all my pma versions in a .htaccess protected folder and normally use
> "config" auth
> ("cookie" only for testing/reproducing error reports).
> But i suggest to use "http" in config.default insted of "config" 
> (cookie would be even better, but requires a unique "blowfish" secret).

we could easily create a random 'secret', and store it in the session, 
it limits the cookie login time to session length - but this should not hurt

and it gives each individual, f.e. example on shared hoster, a unique 
'secret'

it has the side effect that someone 'evil' getting somehow the 'secret' 
from the config and uses XSS to send stored cookies cannot decrypt the 
cookie

-- 
Sebastian




More information about the Developers mailing list