diff --git a/ChangeLog b/ChangeLog
index f76b4c3bb..ab3e950a0 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,8 +12,8 @@ $Source$
* Documentation.html, line 282: the suggested statement to create a new
user and give him grants on a db was invalid.
* Documentation.txt: updated.
- * config.inc.php3; main.php3; lang/*; libraris/common.lib.php3;
- libraries/auth/*:
+ * config.inc.php3; Documentation.html; main.php3; lang/*;
+ libraries/common.lib.php3; libraries/auth/*:
- moved all the authentication work in libraries so it will be easier to
add new authentication modes;
- started merging patch #463127 - Cookie based authentication, thanks to
diff --git a/Documentation.html b/Documentation.html
index 66d11eff6..a79fb1290 100755
--- a/Documentation.html
+++ b/Documentation.html
@@ -209,7 +209,7 @@
before uploading them to your server.
-Quick Install:
+Quick Install:
- Untar or unzip the distribution (be sure to unzip the subdirectories):
tar xzvf phpMyAdmin_x.x.x.tar.gz
@@ -219,17 +219,19 @@
Configuration section for an
explanation of all values.
- It is recommended that you protect the directory in which
- you installed phpMyAdmin (unless it's on a closed intranet, or you wish to use advanced authentication),
- for example with HTTP-AUTH (in a .htaccess file). See the
+ you installed phpMyAdmin (unless it's on a closed intranet, or you
+ wish to use http authentication), for example with HTTP-AUTH (in a
+ .htaccess file). See the
FAQ section for additional
information.
- Open the file
<www.your-host.com>/<your-install-dir>/index.php3
in your browser. phpMyAdmin should now display a welcome screen
- and your databases, or a login dialog if using advanced authentication.
+ and your databases, or a login dialog if using http or cookie
+ authentication mode.
-Upgrading from an older version:
+Upgrading from an older version:
- Please do not copy your older config.inc.php3 over the new one: it may
offer new configuration variables, and the new version may depend on
@@ -237,7 +239,7 @@
values in the new one.
-Using Advanced Authentication:
+Using http authentication mode:
-
phpMyAdmin needs a stduser that has only the SELECT
@@ -286,6 +288,26 @@
+Using cookie authentication mode:
+
+ - If you want to use this method as a replacement for the http
+ authentication (for example, if you're running IIS), you'll have to
+ setup a "standard user" and do the same work in both
+ cases.
+ - Else you don't need to fill any of the user/password fields inside the
+ $cfgServers array with this method.
+
+
+Using standard authentication mode:
+
+ - This mode is the less secure one because it requires you to fill the
+ $cfgServers[n]['user'] and $cfgServers[n]['password']
+ fields.
+ But usually you don't need to setup a "standard user" here:
+ using the $cfgServers[n]['only_db'] might be enough.
+
+
+
@@ -369,16 +391,16 @@
$cfgServers[n]['stdpass'] string
- When using advanced authentication mode (or standard authentication
- mode since phpMyAdmin 2.2.1), you need to supply the details of a MySQL
- account that has SELECT privilege on the mysql.user (all
- columns except "Password"), mysql.db (all columns)
- & mysql.tables_priv (all columns except "Grantor"
- & "Timestamp") tables.
+ When using http or cookie authentication modes (or standard
+ authentication mode since phpMyAdmin 2.2.1), you need to supply the
+ details of a MySQL account that has SELECT privilege on the
+ mysql.user (all columns except "Password"),
+ mysql.db (all columns) & mysql.tables_priv (all columns
+ except "Grantor" & "Timestamp") tables.
This account is used to check what databases the user will see at
login.
Please see the install section
- on "Using advanced authentication" for more information.
+ on "Using http authentication" for more information.
Note that if you try login to phpMyAdmin with this "stduser",
you could get some errors, depending the exact privileges you gave to
@@ -387,21 +409,36 @@
- $cfgServers[n]['adv_auth'] boolean
+ $cfgServers[n]['auth_type'] string ['http'|'cookie'|'basic']
- Whether basic or advanced authentication should be used for this
- server.
- Basic authentication ($adv_auth = FALSE) is the
- plain old way: username and password are stored in
- config.inc.php3.
- Advanced authentication ($adv_auth = TRUE) as
- introduced in 1.3.0 allows you to log in as any valid MySQL user via
- HTTP-Auth.
- Please note that this authentication mode is
- only supported with PHP running as an Apache
- module, and not with cgi.
+ Whether basic or cookie or http authentication should be used for this
+ server.
- Using advanced authentication is recommended:
+
+ -
+ Basic authentication ($auth_type = 'basic')
+ is the plain old way: username and password are stored in
+ config.inc.php3.
+
+ -
+ Cookie authentication mode
+ ($auth_type = 'cookie') as introduced in
+ 2.2.4 allows you to log in as any valid MySQL user with the
+ help of... cookies. Log name and password are stored in
+ cookies during the session and password are deleted when it
+ ends.
+
+ -
+ Advanced or http authentication
+ ($auth_type = 'http') as introduced in 1.3.0
+ allows you to log in as any valid MySQL user via HTTP-Auth.
+ Please note that this last authentication mode is
+ only supported with PHP running as an
+ Apache module, and not with cgi.
+
+
+
+ Using http or cookies authentication modes are recommended:
-
when phpMyAdmin is running in a multi-user environment where
@@ -415,13 +452,15 @@
- Advanced authentication is secure as the MySQL passwords does not need
- to be set in the phpMyAdmin configuration file. (except for the standard
- user -see above-).
+ http or cookies authentications are secure as the MySQL passwords does
+ not need to be set in the phpMyAdmin configuration file. (except for the
+ "standard user" -see above-).
+ If security is your main concern, always prefer the http authentication
+ mode.
- Please see the install section on "Using advanced
- authentication " for more information.
+ Please see the install section on "Using http authentication"
+ for more information.
@@ -431,8 +470,8 @@
The user/password-pair which phpMyAdmin will use to connect to this
- MySQL-server. The password is not needed when advanced authentication
- is used, and should be empty.
+ MySQL-server. The password is not needed when http or cookie
+ authentication is used, and should be empty.
$cfgServers[n]['only_db'] string or array
@@ -838,13 +877,14 @@
Using phpMyAdmin on IIS, I'm facing crashes and/or many error messages
- with the advanced authentication mode.
+ with the http or advanced authentication mode.
This is a known problem with the php ISAPI filter: it's not so stable. For
some more information and complete testings see the messages posted by
André B. aka "djdeluxe76" in
this thread
- from the phpWizard forum.
+ from the phpWizard forum.
+ Please use instead the cookie authentication mode.
@@ -991,8 +1031,8 @@
Each time I want to insert or change a record or drop a database or a
- table, an error 404 (page not found) is displayed or, with advanced
- authentication, I'm asked to login again. What's wrong?
+ table, an error 404 (page not found) is displayed or, with http or
+ cookie authentication, I'm asked to login again. What's wrong?
Check the value you set for the $cfgPmaAbsoluteUri directive in
the phpMyAdmin configuration file.
@@ -1001,8 +1041,8 @@
[Known limitations]
- When using advanced authentication, an user who logged out can not
- relogs in with the same nick.
+ When using http authentication, an user who logged out can not relog
+ in with the same nick.
This is related to the authentication mechanism (protocol) used by
phpMyAdmin. We plan to change it as soon as we may find enough free time
@@ -1020,7 +1060,8 @@
your users. The development of this feature was kindly sponsored by
NetCologne GmbH.
This requires a properly setup MySQL user management and phpMyAdmin
- advanced authentication. See the install section on "Using advanced authentication"
+ http authentication. See the install section on
+ "Using http authentication".
@@ -1032,7 +1073,7 @@
sufficient to use the directory protection bundled with your webserver
(with Apache you can use .htaccess files, for example).
If other people have telnet access to your server, you should use
- phpMyAdmin's advanced authentication feature.
+ phpMyAdmin's http authentication feature.
Suggestions:
@@ -1060,7 +1101,7 @@
"./lang" to allow normal operation of phpMyAdmin.
- phpMyAdmin always gives "Access denied" when using advanced
+ phpMyAdmin always gives "Access denied" when using http
authentication.
This could happen for several reasons: