blowfisch cookie auth?

[StefanR]

Moin,

mir ist heute in der phpmyadmin config das erste mal der Config Index blowfisch_secret aufgefallen.

Hat jemand irgendwo mal ne Erklärung, wie oder warum nen Cookie, mit sonem Key sicherer sein soll, versteh den Sinn net ganz.

Danke im Vorraus.

 

[Flex]

HTTP and cookie authentication modes are more secure: the MySQL login information does not need to be set in the phpMyAdmin configuration file (except possibly for the controluser).
However, keep in mind that the password travels in plain text, unless you are using the HTTPS protocol.
In cookie mode, the password is stored, encrypted with the blowfish algorithm, in a temporary cookie.

The "cookie" auth_type uses blowfish algorithm to encrypt the password.
If you are using the "cookie" auth_type, enter here a random passphrase of your choice. It will be used internally by the blowfish algorithm: you won’t be prompted for this passphrase. The maximum number of characters for this parameter seems to be 46.

Since version 3.1.0 phpMyAdmin can generate this on the fly, but it makes a bit weaker security as this generated secret is stored in session and furthermore it makes impossible to recall user name from cookie.

Aus der phpMyAdmin Doku zusammengeschnippselt.

 

[StefanR]

Hmm was ich nur net schnall ist, was der in der Config hinterlegte Secret Code für ne Rolle spielt, es würde doch reichen wenn das mysql pass im cookie encrypted abgelegt wird oder nicht?