-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Marc!
I have not read the source, so my question is: When not using cookies and having URL-based sessions, where else would you store another authentication token?
Do you mean a future new auth mechanism?
No, I was talking about your proposal :)
Currently we have published that enabling cookies was only required with auth_type = 'cookie'. I am in favor of asking to enable cookies in all cases, it's just that we have to publish it evidently and do it soon, like in 2.8.2.
I think publishing that is a good thing.
I don't think this is possible, because if a user doesn't have cookies, all there's left is HTTP Authentication [which only works with mod_php and not the CGI] and the URI. The URI can be hijacked, so...there's nothing left to store data in? All storage in $_SESSION will be available to the session-ID hijacker...
config.inc.php can store fixed auth data and we support this...
Yes, but that would still mean that with a hijacked session ID in the URL you could do everything that the "real" person could do - and you were explicitly asking if there is a way to:
* Do not use cookies * Use session storage * Use session ID propagation through URL * Be not subject to session hijacking
IMHO there is no way to make that happen.
Best regards, Garvin
- -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in