Garvin Hicking a écrit :
Hi!
securing session data/handling is part of the system not of the application (like some days ago someone said window hijacking is part of the browser not the app)
We would make it too easy for us to say so, especially if we are able to bypass this. If we really just use PHP sessions and pay no attention to their security, we need to make phpMyAdmin still work without sessions. Most of the shared hosting providers to not ensure different session.save_path settings...
even with open_basedir disabled, to open a file from the tmp dir you need the exact name, as normaly listing dir contents is not allowed
Why do you think that? I can open and list my /tmp directory on all 3 hosts I just checked:
<?php $d = opendir('/tmp'); while (($file = readdir($d)) !== false) { echo $file . "\n"; }
and guessing the right session id is nearly impossible:
That's true of course. :)
Also we need to think about what bad can happen when someone hijacks your session id, or uses session fixation.
authentication information does not require to be stored in the session! authentication system can stay as it is!
But.... users deactivating cookies in their browser currently cannot benefit from the login panel.
Yes, I think it's better to rely on the current system than to use a (much easier) PHP session auth.
Regards, Garvin