Michal Čihař a écrit :
On Fri, 28 Apr 2006 10:38:36 +0200 Sebastian Mendel lists@sebastianmendel.de wrote:
whether url sid is allowed or not is set in session.inc.php possible we could add a $cfg to allow url sid - so it is the choice of the user if he allows sid via url or not
Yes, we should add config option for that. And add documentation note that we require cookies unless this is enabled.
I am not really in favor of this idea. I guess it's the old security versus usability issue.
On one hand, we have users who have control over their browser and who, for some reason, disable cookies.
On the other hand, many users are using PMA on a shared installation, on which they have no control about PMA config.
In practice, is the threat about sessions fixation/hijacking real?
P.S. In 2.8.1 we now have this cookies restriction but I don't think it's documented.
http://sourceforge.net/tracker/index.php?func=detail&aid=1497352&gro...
Marc