[Phpmyadmin-devel] fallback login to http or cookie when config
Sebastian Mendel
lists at sebastianmendel.de
Fri Mar 23 08:54:47 CET 2007
Juergen Wind schrieb:
>
>
> Marc Delisle wrote:
>> Sebastian Mendel a écrit :
>>> Hi,
>>>
>>> how about fall back to cookie or http auth if config auth fails?
>>>
>>> would make it more easy to run phpMyAdmin out of the box (at least for
>>> localhost)
>>>
>>> but only if config is set to root without password
>>>
>>> if config_auth_fail, user == 'root', pw == ''
>>> than switch to cookie auth
>>> and display message about it
>>
>> I would prefer to remove "config" auth. Now that we require cookie
>> support in browser, I don't see any advantage for "config" auth, only
>> security issues because their user/password in the file, which requires
>> protection on the web-server level and protection from spies on a shared
>> server.
>>
>> Setup script already generates a blowfish secret.
>>
>> Our config sample uses "cookie" auth as default.
>> Marc
>
> objection again ;)
> i have all my pma versions in a .htaccess protected folder and normally use
> "config" auth
> ("cookie" only for testing/reproducing error reports).
> But i suggest to use "http" in config.default insted of "config"
> (cookie would be even better, but requires a unique "blowfish" secret).
we could easily create a random 'secret', and store it in the session,
it limits the cookie login time to session length - but this should not hurt
and it gives each individual, f.e. example on shared hoster, a unique
'secret'
it has the side effect that someone 'evil' getting somehow the 'secret'
from the config and uses XSS to send stored cookies cannot decrypt the
cookie
--
Sebastian
More information about the Developers
mailing list