7

I'm writing a webhosting control panel for our organization, and would like to be able to automatically login a user to phpMyAdmin.

  1. User logs in to out control panel
  2. User clicks "Manage databases"
  3. User gets redirected to PHPMyAdmin and is automatically logged in

What would be the best way to do this?

Of course we don't want to save our users' control panel account passwords in our database in plain text.

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
RobinJ
  • 5,022
  • 7
  • 32
  • 61
  • 2
    What have you tried ? This is a broad question, minimize your question and please come with a specific one. – The Alpha Jun 27 '14 at 11:25
  • @WereWolf-TheAlpha Nothing yet. I'm not sure where to start. I'm not only asking *how* to do it, but also what would be *the best* way(s) of doing it. – RobinJ Jun 27 '14 at 16:31
  • 1
    “What would be the best way to do this?” Sounds like a fantastic idea. Just remove one extra step from a site being hacked. – Giacomo1968 Jul 01 '14 at 00:14
  • So you want a system to automatically pass a username and password to an application, but don't want to store the username and password? Somewhere some part of the system is going to need to know them. – Isaac Bennetch Jul 02 '14 at 02:57
  • @IsaacBennetch Unless there's a way to not have to do that, like sharing the session cookie. – RobinJ Jul 03 '14 at 13:58
  • **This should do the trick:** http://stackoverflow.com/questions/5687970/auto-login-phpmyadmin?rq=1 – Valentin Mercier Jul 06 '14 at 10:12
  • Checkout my answer at following link: http://stackoverflow.com/a/41158794/5558905 – MyO Dec 15 '16 at 07:45

4 Answers4

4

You have to edit the config file to do this. Open the file with a Text Editor

\phpMyAdmin\config.inc.php

Replace the following code

$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = '';
$cfg['Servers'][$i]['password'] = '';

With this

$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'Server Username';
$cfg['Servers'][$i]['password'] = 'Server Password';

Replace the Server Username with the username of your database server. By default it is root for localhost.

Replace the Server Password with the password of your database server. By default it remains blank for localhost.

Now, save the file and try to open the MySQL Admin from your browser. Now, you should get redirected to phpMyAdmin automatically.

Please, be aware that now everyone who wants can login!

Bastiaan Buitelaar
  • 85
  • 9
Arabinda Ghosh
  • 41
  • 3
3

I don't think there is a way to do it without knowing a set of username and password. In the end phpMyAdmin is just the middleware that connect your session to the database.

As far as I know, phpMyAdmin itself does not even have its own user table. It basically tries to login to database with the credentials you provided. If successful, it stores your credentials in their cookies, although they are encrypted. That's why phpMyAdmin asks for a Blowfish secret in your config file, to store your credentials more securely.

What is closest that you can get what you want is actually built-in to phpMyAdmin, see http://wiki.phpmyadmin.net/pma/Auth_types on Single Sign-on.

auth_type signon is a feature to allow phpMyAdmin to integrate with Single Sign-on (SSO) systems. Administrators can configure their phpMyAdmin installations to get a MySQL username and password from an existing SSO session, allowing the user sign in once to a control panel, for example, and then switching between applications such as phpMyAdmin without the need to log in again.

To me I would create a new user for each of your user account e.g. a user called foo might have a SSO-only account called foo_mysql. Then store foo_mysql and its password (encrypted) into your database. When your user tries to access phpMyAdmin from your admin portal, you sign them on with the "signon" auth type setup as described in http://wiki.phpmyadmin.net/pma/Auth_types#signon.

A more secure way (but I still have my own doubt) could be that you create a temporary SSO-only account only when needed. For example, generate a new random foo_4f65ca1d each time the user requests to access phpMyAdmin from your admin portal. Then send the new credentials over to phpMyAdmin.

Once you have passed it to phpMyAdmin, it will be phpMyAdmin that manages the credentials the usual phpMyAdmin way. When the user logs out from your portal, delete the temporary user. Or set up a scheduled task to delete them after a set period (probably a period in sync with phpMyAdmin session length).

This way the account itself behaves pretty much like a user session. You don't even have to store those credentials, plaintext or encrypted in your database.

I'm no security expert here but I hope this could fire off some discussion or some other more secure solutions.

Unnawut
  • 7,500
  • 1
  • 26
  • 33
  • This definetely seems like the best solution to me as well. The `examples` folder of your phpMyAdmin installation has some scripts you can refer to in order to start building this. – Isaac Bennetch Jul 02 '14 at 02:56
  • What I ended up doing; When the user clicks the link to PHPMyAdmin, I check if a user for them exists and if not create it. After that I generate a random password, regardless of if the user is new or not. Last, I pass the username and password to PHPMyAdmin through a POST request. – RobinJ Jul 06 '14 at 10:56
  • In the newer Version > 4.9.0 you can/should use SSO as shown here: https://stackoverflow.com/questions/49066573/how-programatically-authorize-user-into-phpmyadmin/74493875#74493875 – Marco Nov 21 '22 at 10:23
0

If I got you right, you want to achieve that your customers can access "their" databases without the need to supply any credentials before? I think this can't be done with MyAdmin without adding some custom php code. If your control panel is also php, you may set sessions vars containing the needed informations like user, passwd and database-name etc. which are then processed by the authentification-method in MyAdmin. Maybe this could be a start: php sessions to authenticate user on login form

Edit: phpMyAdmin seems to have the code for SSO meanwhile, so all you need is to set the corrent values in your control panel before. Have a look at: http://wiki.phpmyadmin.net/pma/Auth_types#signon

Community
  • 1
  • 1
Chris
  • 127
  • 1
  • 8
-3

I think this is solution for your problem.

Add this lines before first for statement in config.inc.php:

$cfg['Servers'][1]['auth_type'] = 'config';
$cfg['Servers'][1]['host'] = 'localhost'; //edit if you have db in the other host
$cfg['Servers'][1]['connect_type'] = 'tcp';
$cfg['Servers'][1]['compress'] = false;
$cfg['Servers'][1]['extension'] = 'mysql';
$cfg['Servers'][1]['user'] = 'root'; //edit this line
$cfg['Servers'][1]['password'] = ''; // edit this line

Hop this will help.

Marko Vasic
  • 690
  • 9
  • 27