-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi!
can't we implement some of the countermeasures as explained in section 5 of this document? For example, binding the legitimate user's IP address to our session data?
The most easy way to counter session fixation is to just perform a session_regenerate_id() after the login. This way, any "fixated" session will be changed to a random session ID after the credentials are entered. Binding an IP address should IMHO be prevented, it's just security by obscurity and no "real" mean against intrusion. Session hijacking is a more definite problem. IMHO exposing the session ID in the URL must be avoided at all costs. Thus, only allowing cookie-enabled logins is IMHO the best way to deal with it. PMA is a sensible application, thus specific browser settings should be applied to it. You can't expect a user to have security on his databases if he disallows cookies, so we shouldn't support this mode. That's my take, of course. ;) Best regards, Garvin - -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org ++ Make me happy | http://wishes.garv.in -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEfZbOUZolOPYrUhYRAq65AKCvkx4kv4YocegmKMArSiM6Q2Y8nwCgvJ65 6UBlThf6WTs7ly7QyfzHnXk= =y+sf -----END PGP SIGNATURE-----