Block phpMyAdmin access when not logged on ISPConfig

Discussion in 'Installation/Configuration' started by manoaratefy, Nov 10, 2021.

  1. manoaratefy

    manoaratefy New Member

    Good morning,
    Is there a way to block phpMyAdmin access when not logged on ISPConfig ? I managed to block access when the ISPConfig cookie is absent, using .htaccess, but I didn't found any what to check if the cookie is valid or not, and if the cookie is related to an active connection.

    My current .htaccess:
    RewriteEngine on
    RewriteCond %{HTTP_COOKIE} !ISPCSESS\= [NC]
    RewriteRule .* - [R=401,L]
    Can you help me?
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I did the same type of session check for monit, which you can refer to. It is tenuous at best, treating session_data as a string rather than serialized data, and it could break at any time. In fact, some upcoming/in progress changes could well affect it in the next ispconfig release.
           AuthzDBDQuery "SELECT 'monit' FROM sys_session WHERE session_id = %s and session_data like '%%monitor/show_monit.php%%'"
    A better solution would probably figure out how to have apache call a php app which reads sys_session and properly deserializes it. Or rewrite the session handling to structure data in db fields rather than serializing a php array.

Share This Page