Configuring Authentication and Security - Mastering phpMyAdmin 3.4 for Effective MySQL Management

Databases Reference

In-Depth Information

There is a security feature to add a specific time limit for the validity of a

password. This feature helps to protect the working session. After a successful

login, our password is stored (encrypted) in a cookie, along with a timer. Every

action in phpMyAdmin resets the timer. If we stay inactive for a certain number of

seconds, as defined in $cfg['LoginCookieValidity'] , we are disconnected and

have to log in again. Increasing this parameter does not work in all cases, because

PHP's own session.gc_maxlifetime directive can get i n the way. Please refer to

http://php.net/manual/e n/session.configuration.php for an explanation

of this directive. Therefore, if phpMyAdmin detects that the value of session.gc_

maxlifetime is less than the configured $cfg['LoginCookieValidity'] , a warning

is displayed on the main page. The default is 1440 seconds; this matches the

php.ini 's default value of the session.gc_maxlifetime parameter.

The Blowfish algorithm used to protect the username and password

requires many computations. To achieve the best possible speed, the

PHP's mcrypt extension and its accompanying library must be installed

on our web server.

To help users realize that this extension is really important, a message is

displayed on the main page when phpMyAdmin detects its absence. The

$cfg['McryptDisableWarning'] directive controls this message. By

default, a value of false implies that the message is shown.

Authenticating with signon mode

During the course of a working session, a user may encounter several requests to

authenticate, from different web applications. The reason is these applications don't

talk to each other and this situation inconveniences most users.

The signon mode enables us to use the credentials from another application to

skip the authentication phase of phpMyAdmin. In order for this to work, this other

application has to store the proper credentials into PHP's session data to be retrieved

later by phpMyAdmin.

Storing credentials in PHP's session is not guaranteed to be safe,

according to the PHP manual: http://php.net/manual/en/

session.security.php .

To enable this mode, we start with the following directive:

$cfg['Servers'][$i]['auth_type'] = 'signon';

Search WWH ::

Custom Search

Home