24 Nov
2004
24 Nov
'04
9:31 a.m.
Hi Marc!
Hi Garvin,
this would mean that a stolen cookie can be used to authenticate.
Well, but let's say PMA is used on a host which is restricted via IP protection,
or an internal server, where you suppose no cookies can/will be stolen - the
only way for users without mcrypt would be to not use cookies; instead I would
think it would be better to offer them to turn of validity checking in that
case.
But then again, I'm not much into all that Cookie-Stealing-Security issues. :)
Regards,
Garvin.
--
Garvin Hicking | Web-Entwickler | Make me happy:
www.supergarv.de | #ICQ 21392242 | http://wishes.garv.info/