-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi there,
Marc Delisle wrote:
Garvin Hicking a écrit:
About the LoginCookieValidity - a question: Since I don'T use cookie auth, is it possible for users to set LoginCookieValidity off (say to 0) and then the en/decoding of the cookie is not always performed?
Hi Garvin, this would mean that a stolen cookie can be used to authenticate.
First of all, storing the cookie savely is the client's task. If by "stolen cookie" you are talking about someone sniffing my traffic and extracting the encrypted password: Well that's what SSL is made for. On top of that: On login, the user has to send his password unencrypted through the wire: If I wanted to hack someone, I'd grab the password there instead of "steal" the cookie.
We cannot always save the world. The encryption feature is a nice possibility to make PMA a bit more secure for users of Microsoft's Internet Exploiter, but if it slows down PMA that much, we should give the users the ability to switch it off.
Alternatively, we could maybe implement an auth plugin that uses sessions and deprecate the cookie plugin step by step.
Regards,
AMT