-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Marc Delisle schrieb:
Sebastian Mendel a écrit : Marc Delisle schrieb:
Garvin Hicking a écrit : Hi!
can't we implement some of the countermeasures as explained in section 5 of this document? For example, binding the legitimate user's IP address to our session data?
The most easy way to counter session fixation is to just perform a session_regenerate_id() after the login. This way, any "fixated" session will be changed to a random session ID after the credentials are entered.
Ok, but this would move our minimum PHP version to 4.3.2. Probably not too bad, see http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006....
you can do this without session_regenerate_id() too
But, as you say, there would still be the hijacking problem, so let's say that regenerating session id could be added in 2.9.x as an added security measure, not for allowing users to disable their cookies.
but we have no hijacking problem - the login is not stored in the session!
You're right. I forgot this because you talked about hijacking in a previous message :)
yes, but i also mentioned: "but of course this [hijacking/fixation] is not possible with PMA currently - as the auth is not handled with session!"
So, with a regenerating technique we could use URL-based session id and avoid our cookie restriction? :)
phpMyadmin is not just any web application it is an administration tool! and i think we can demand from our customers to accept cookies for her own security!
whether it is possible at the moment to make any use out of a hijacked session-id or not!
we should try to be as secure as possible from the start!
and if it is really really really required to use url based session id than we could introduce a config switch to enable this - but i think most ISP will never set this to true (even more i think if it would be enabled by default most will set it to false) as most ISP now if something goes wrong the customers blame on them (the ISP) and not on them self!
- -- Sebastian Mendel
www.sebastianmendel.de