Sebastian Mendel a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Marc Delisle schrieb:
Michal ?iha? a écrit :
On Fri, 28 Apr 2006 10:38:36 +0200 Sebastian Mendel lists@sebastianmendel.de wrote:
whether url sid is allowed or not is set in session.inc.php possible we could add a $cfg to allow url sid - so it is the choice of the user if he allows sid via url or not
Yes, we should add config option for that. And add documentation note that we require cookies unless this is enabled.
I am not really in favor of this idea. I guess it's the old security versus usability issue.
On one hand, we have users who have control over their browser and who, for some reason, disable cookies.
if i deny someone to remember my face i cannot blame on him asking me everytime who am i!
On the other hand, many users are using PMA on a shared installation, on which they have no control about PMA config.
In practice, is the threat about sessions fixation/hijacking real?
fixation: it is real, and very easy!
domain.tld/script.php?PHPSID=1234
and now i send you this link you click it and your session is run under the id 1234 - now i wait till you logged in and i can use this session id to call the page by myself and be logged in with your details
but of course this is not possible with PMA currently - as the auth is not handled with session!
hijacking same as above, just you don't send the url but catch it somewhere, f.e. at the router or proxy - did you never tried to copy the url from one brwoser to another? with cookie based session ids this will not work you found yourself always on the login screen, with url based session id it works!
Thanks Sebastian,
can't we implement some of the countermeasures as explained in section 5 of this document? For example, binding the legitimate user's IP address to our session data?
http://www.acros.si/papers/session_fixation.pdf
Marc