Auth types

From PmaWiki
Jump to: navigation, search


[edit] Overview

There are a number of authentication methods you may want to choose depending on your specific needs. This can be set in using $cfg['Servers'][$i]['auth_type']. For a personal server running behind a firewall, config may be desirable whereas a multi-user facility (such as an ISP) will want to use cookie or http. Read on for more information about each. If you have trouble, don't forget you need to set a password for MySQL itself mysqladmin -u root password XXXXXXXX if you haven't already.

[edit] config

auth_type = 'config' is the most basic authentication mode. The username and password are stored in phpMyAdmin configuration file. It is good for troubleshooting problems and single-user installations where "root" (or some similar super-user) is used for all administrative work. Config does not password protect phpMyAdmin; anyone who accesses the correct URL is logged directly in and can manipulate your server.

If you use config, please also place your server behind a firewall or use your webserver's authentication (such as an Apache .htaccess file) to limit access to your data.

In, also fill in values for user and password.

[edit] cookie

auth_type = 'cookie' prompts for a MySQL username and password in a friendly HTML form. This is also the only way by which one can log in to an arbitrary server (if $cfg['AllowArbitraryServer'] is enabled). Cookie is good for most installations (default in pma 3.1+), it provides security over config and allows multiple users to use the same phpMyAdmin installation. For IIS users, cookie is often easier to configure than http.

Having the PHP mcrypt extension will speed up access considerably, but is only required on 64bit machines at the moment (due to

In do not fill in values for $cfg['Servers'][$i]['user'] and $cfg['Servers'][$i]['password']. You also should provide a secret passphrase: $cfg['blowfish_secret'] = 'anythingShorterThan42(?)characters';

If your MySQL version is older than 4.1.2 (or is running with --skip-show-database) see the section on configuring a controluser.

[edit] http

auth_type = 'http' also prompts for a MySQL username and password, but does so using HTTP Basic authentication. The look of the prompt is determined by the browser; most pop up a login window. Http provides security over the config method and allows multiple users to use the same phpMyAdmin installation. The differences between http and cookie for the end user are mostly cosmetic, however IIS users should see FAQ 1.32 and Apache CGI-mode users should see FAQ 1.35.

In do not fill in values for $cfg['Servers'][$i]['user'] and $cfg['Servers'][$i]['password']. If your MySQL version is older than 4.1.2 (or is running with --skip-show-database), you should see the section on configuring a controluser.

[edit] Articles related to HTTP authentication

  • FAQ 1.32 Can I use HTTP authentication with IIS?
  • FAQ 1.35 Can I use HTTP authentication with Apache CGI?
  • FAQ 4.1 I'm an ISP. Can I setup one central copy of phpMyAdmin or do I need to install it for each customer.
  • FAQ 4.2 What's the preferred way of making phpMyAdmin secure against evil access.
  • FAQ 4.4 phpMyAdmin always gives "Access denied" when using HTTP authentication.

[edit] signon

This feature is available since phpMyAdmin 2.10.0.

auth_type signon is a feature to allow phpMyAdmin to integrate with Single Sign-on (SSO) systems. Administrators can configure their phpMyAdmin installations to get a MySQL username and password from an existing SSO session, allowing the user sign in once to a control panel, for example, and then switching between applications such as phpMyAdmin without the need to log in again.

If you want to provide fallback solution when user is not logged in in SSO, you can create additional cookie authenticated server in configuration and use SignonURL for redirecting to second server (URL will look like http://host/server/index.php?server=2).

Example to work with examples/signon.php :

$i = 0;
$cfg['Servers'][$i]['extension']     = 'mysqli';
$cfg['Servers'][$i]['auth_type']     = 'signon';
$cfg['Servers'][$i]['SignonSession'] = 'SignonSession';
$cfg['Servers'][$i]['SignonURL']     = 'examples/signon.php';

You have to populate the 'SignonSession' in your own application:

// ... 
if(!empty($_POST)) {
// make the cookie reachable :
session_set_cookie_params(0, '/', '', 0);
// same as in : 
$_SESSION['PMA_single_signon_user'] = $_POST['user'];
$_SESSION['PMA_single_signon_password'] = $_POST['password'];
$_SESSION['PMA_single_signon_host'] = $_POST['host']; // pma >= 2.11
// save changes :
// finally redirect to phpMyAdmin :
header('Location: ../index.php?server=1');
// ... the login form may follow here ...

How to create a simple login form (see examples/signon.php) :

<form action="signon.php" method="post">
Username: <input type="text" name="user" />
Password: <input type="password" name="password" />
Host: (will use the one from by default) 
<input type="text" name="host" />
<input type="submit" />
Personal tools