[Phpmyadmin-devel] Default configuration
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Wed Sep 3 13:42:32 CEST 2008
Michal Čihař a écrit :
> Hi all
>
> since ever, our default configuration is config which matches MySQL
> defaults. However we all know it is not really a good option from
> security point of view, because it might expose MySQL server from
> inexperienced user to public. I think it's time to change this.
>
> 1. Disallow logging in as root without password unless explicitly
> allowed in our config file.
OK. You mean allowing this with a new parameter like AllowRootLogin?
>
> 2. Make cookie the default authentication method.
See my answer for next one.
>
> 3. If no Blowfish secret is set, generate one on the fly and store it
> in the session - it should work for login, but it won't allow to recall
> username on next login, but if user wants this feature, he needs to set
> the secret in config.
We are not supposed to store credentials in session, so storing a
blowfish secret there is not appropriate, IMO. This is why we have not
(yet) chosen 'cookie' as default auth_type.
Maybe choosing 'http' would be better as a default?
>
> Opinions to make such change in trunk?
More information about the Developers
mailing list