Setting phpMyAdmin cookie timeout to 3 hours...
-
-
@all_users that makes sense to me as the obvious way to handle such a critical misconfiguration.
Oh wait.
No it doesn't.
-
Not that it's the only problem I've had.
I'm also having to deal with a particularly brain-dead ISP running the WiFi I'm currently using, since it's moving my exit-point IP every couple of minutes...
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8<IfModule mod_authz_core.c>
# Apache 2.4
Require local
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
Allow from 86.149.109.59
Allow from 2.99.90.84
Allow from 94.118.0.0/16
Allow from 94.117.0.0/16
</IfModule>
</Directory>
-
@all_users said in Setting phpMyAdmin cookie timeout to 3 hours...:
moving my exit-point IP every couple of minutes...
It sounds like you should be using client side certificates. Even a simple http auth over ssl would be better than the whack-a-mole you're currently playing. Let's encrypt certificates are so cheap it's like they're free.
-
@cark said in Setting phpMyAdmin cookie timeout to 3 hours...:
It sounds like you should be using client side certificates.
That's usually a service-wide setting, so you have to host the admin interface on a separate port to the main service interface or do some moderately annoying tinkering inside the process. OTOH, once you have it set up it's really good and strong. Assuming that you only ever admin from a non-shared computer…
-
@cark said in Setting phpMyAdmin cookie timeout to 3 hours...:
Let's encrypt certificates are so cheap it's like they're free.
And so easy to implement with versions of Plesk before 12.5. Oh wait...
I started looking into doing my own scripting to do it, but got distracted by other things.
-
@dkf said in Setting phpMyAdmin cookie timeout to 3 hours...:
@cark said in Setting phpMyAdmin cookie timeout to 3 hours...:
It sounds like you should be using client side certificates.
That's usually a service-wide setting, so you have to host the admin interface on a separate port to the main service interface or do some moderately annoying tinkering inside the process.
I normally give each thing it's own subdomain. Not sure about Apache, but in Nginx different vhosts can have completely different settings. I can specify mandatory client certs for phpmyadmin.domain and leave the rest as it is. That said, I never figured out how to properly set up client certs in Nginx.
-
@all_users said in Setting phpMyAdmin cookie timeout to 3 hours...:
@cark said in Setting phpMyAdmin cookie timeout to 3 hours...:
Let's encrypt certificates are so cheap it's like they're free.
And so easy to implement with versions of Plesk before 12.5. Oh wait...
I started looking into doing my own scripting to do it, but got distracted by other things.
Certbot probably has your use case covered as long as you don't mind using the cli and giving it access to your keys/filesystem
-
@dkf said in Setting phpMyAdmin cookie timeout to 3 hours...:
That's usually a service-wide setting, so you have to host the admin interface on a separate port to the main service interface or do some moderately annoying tinkering inside the process. OTOH, once you have it set up it's really good and strong. Assuming that you only ever admin from a non-shared computer…
Since he's using Apache, he can definitely set SSLVerifyClient by location. It's one of the reasons SSL session renegotiation exists.
-
@heterodox TIL.