Welcome, Guest! Log In | Create Account

Tracker: Feature Requests

1 (ok 3.1.0) setup script doesn't tell to generate .htaccess - ID: 2152785
Last Update: Settings changed ( nijel )

I'm a phpmyadmin newbie and recently installed it using the setup script to
build the config file. Copying the previous configuration I made it config
based, entered password etc and away we went. After a couple of days I had
a query as to why the user wasn't being prompted to login and realised I
should have generated a .htaccess/.htpasswd pair for the phpmyadmin
directory. The setup tool should volunteer to help with this. Consequently
anyone who uses setup scripts to generate a config based installation might
be running unsecured.

Ed ( epo001 ) - 2008-10-08 07:56

1

Closed

None

Piotr Przybylski

Security / Restrictions

None

Public


Comments ( 5 )

Date: 2008-11-30 13:43
Sender: nijelAccepting Donations

If you use config auth_type in current setup script, it shows following red
message:

You set config authentication type and included username and password for
auto-login, which is not a desirable option for live hosts. Anyone who
knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set
authentication type to cookie or http. If you feel this is necessary, use
additional protection settings - host authentication settings and trusted
proxies list. However, IP-based protection may not be reliable if your IP
belongs to an ISP where thousands of users, including you, are connected
to.

I guess this is strong enough warning.

Date: 2008-11-03 15:37
Sender: ibennetch

By the way, for Ed and anyone else who finds this thread:
http://wiki.cihar.com/pma/auth_types -- this is exactly how the 'config'
auth_type is supposed to work. Perhaps 'cookie' or 'http' are what you
need.

@windkiel and @lem9: I agree with windkiel to not remove 'config' and that
the default of 'cookie' is a good move.

Date: 2008-10-10 22:52
Sender: windkiel

lol @The real question is: how can we convince users to read
Documentation.html?

>Should we abandon the 'config' auth mode?
no!
I use to have it in a folder with resticted access to my LAN and I dont
like to login at all
But making auth_type = cookie default (pma3.1) is the right step!


Date: 2008-10-08 20:11
Sender: lem9Project Admin & DonorAccepting Donations

Moved to feature requests.

Date: 2008-10-08 12:17
Sender: lem9Project Admin & DonorAccepting Donations

The real question is: how can we convince users to read Documentation.html?
or even: Should we abandon the 'config' auth mode?

Attached File

No Files Currently Attached

Changes ( 10 )

Field Old Value Date By
close_date - 2008-11-30 13:44 nijel
status_id Open 2008-11-30 13:44 nijel
priority 6 2008-11-30 13:44 nijel
assigned_to nobody 2008-11-30 13:44 nijel
summary setup script doesn't (tell you to) generate .htaccess 2008-11-30 13:44 nijel
data_type 377411 2008-10-08 20:11 lem9
category_id Security / Restrictions 2008-10-08 20:11 lem9
artifact_group_id 2.11.9.x 2008-10-08 20:11 lem9
priority 5 2008-10-08 07:57 epo001
summary gui config builder doesn't (tell you to) generate .htaccess 2008-10-08 07:57 epo001


About SourceForge

Find Software

Develop Software

Community

Help

Copyright © 2009 Geeknet, Inc. All rights reserved. Terms of Use