phpMyAdmin without password
- Thread starter ehsanch
- Start date
jlandes
Verified User
I like this idea. 
- Joined
- Feb 27, 2003
- Messages
- 8,509
You want DA to store all plaintext password so that DA can pass them to apache so you don't get a password popup? Note that DA and apache/phpMyAdmin are 2 totally seperate systems, fyi. If DA were to save all mysql passwords for it's own personal use to pass to phpMyAdmin, these password would have to all be decodeable.. meaning if your box were to be compromised, all passwords could be decoded and read by the hacker. This is exactly why all linux systems use "crypt" which is one-way encoded. Password cannot be decoded. MySQL also uses it's own flavor of that for exactly this reason, so that password can never be found in a database. So for us to add a database full of decodable plaintext passwords would be opposite to all the security measures put in place for exactly that reason.. we don't want anyone to ever be able to figure out the plaintext passwords. I believe this would be out of the scope of DA..
As for doing it via other means, that's another question.
For example, the plaintext DA password is known to DA via the sessions. This means no database of passwords is needed there. If DA were to pass this known password to phpMyAdmin, in theory you could login to phpMyAdmin as your DA user without needing a password. Since the DA user is setup to have access to all databases under that MySQL account, that would work. But.. the issue because since DA and apache are in fact 2 seperate systems, you start having security issues passing a plaintext password around in your skins. Not to say something secure couldn't be figured out.. but it's something that has to be considered.
I'm not sure how cpanel does it.. if they addressed these issues and have found a good solution, or just totally ignore these security issues.
John
As for doing it via other means, that's another question.
For example, the plaintext DA password is known to DA via the sessions. This means no database of passwords is needed there. If DA were to pass this known password to phpMyAdmin, in theory you could login to phpMyAdmin as your DA user without needing a password. Since the DA user is setup to have access to all databases under that MySQL account, that would work. But.. the issue because since DA and apache are in fact 2 seperate systems, you start having security issues passing a plaintext password around in your skins. Not to say something secure couldn't be figured out.. but it's something that has to be considered.
I'm not sure how cpanel does it.. if they addressed these issues and have found a good solution, or just totally ignore these security issues.
John
jlandes
Verified User
I'm not sure either. They also do it with the Webmail software too. For example, if you're logged into cPanel with your cPanel user account and click on the Webmail link, you'll automatically be logged into your Webmail without having to re-authenticate. They do it too on the Mail User portion. However, I do not know if the way they are doing it is secure or not.
- Joined
- Feb 27, 2003
- Messages
- 8,509
If they run these pieces of software through their own (no apache involved), then it would be secure. We don't.. we use apache.
John
John
Nexxterra.com
Verified User
I like the current way...
I have many designers and developers log into my sites, this may be to update graphics, maybe enhance a php page, etc. sometimes, these people have a similar site... so I like the fact that access to my data is secure!
I have many designers and developers log into my sites, this may be to update graphics, maybe enhance a php page, etc. sometimes, these people have a similar site... so I like the fact that access to my data is secure!