-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
can't we implement some of the countermeasures as explained in section 5 of this document? For example, binding the legitimate user's IP address to our session data?
The most easy way to counter session fixation is to just perform a session_regenerate_id() after the login. This way, any "fixated" session will be changed to a random session ID after the credentials are entered.
Binding an IP address should IMHO be prevented, it's just security by obscurity and no "real" mean against intrusion.
Session hijacking is a more definite problem. IMHO exposing the session ID in the URL must be avoided at all costs. Thus, only allowing cookie-enabled logins is IMHO the best way to deal with it. PMA is a sensible application, thus specific browser settings should be applied to it. You can't expect a user to have security on his databases if he disallows cookies, so we shouldn't support this mode. That's my take, of course. ;)
Best regards, Garvin
- -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in