Databases Reference
In-Depth Information
We can also define the HTTP
basic
auth
realm
(
http://en.wikipedia.org/wiki/
Basic_acc
ess_authentication
), which is a message to be displayed to the user at
login time, via
$cfg['Servers'][$i]['auth_http_realm']
. This can help indicate
the purpose of this server.
This mode has the following limitations:
• PHP, depending on the version, might not support HTTP authentication for
all kinds of web servers.
• If we want to protect phpMyAdmin's directory with a
.htaccess
file (refer
to the
Securing
phpMyAdmin
section in this chapter), this will interfere with
HTTP authentication type; we cannot use both.
• Browsers usually store the authentication information to save retyping
credentials but bear in mind that these credentials are saved in an
unencrypted format.
• There is no support for proper logout in the HTTP protocol; hence we have to
close all browser windows to be able to log in again with the same username.
Authenticating with cookie values
The
cookie
authentication mode is superior to
http
in terms of the functionalities
it offers. This mode permits true login and logout, and can be used with PHP
running on any kind of web server. It presents a login panel (as shown in the
following screenshot) from within phpMyAdmin. This can be customized as we
have the application source code. However, as you may have guessed, for
cookie
authentication, the browser must accept cookies coming from the web server—but
this is the case for all authentication modes anyway.
This mode stores the username typed in the login screen into a permanent cookie in
our browser while the password is stored as a temporary cookie. In a multi-server
configuration, the username and password corresponding to each server are stored
separately. To protect the username and password secrecy against attack methods
that target cookie content, they are encrypted using the Blowfish cipher. So, to
use this mode, we have to define (once) in
config.inc.php
, a secret string that
will be used to securely encrypt all passwords stored as cookies from this
phpMyAdmin installation.
This string is set via the
blowfish_secret
directive:
$cfg['blowfish_secret'] = 'jgjgRUD875G%/*';
Search WWH ::
Custom Search