Garvin Hicking a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
can't we implement some of the countermeasures as explained in section 5 of this document? For example, binding the legitimate user's IP address to our session data?
The most easy way to counter session fixation is to just perform a session_regenerate_id() after the login. This way, any "fixated" session will be changed to a random session ID after the credentials are entered.
Ok, but this would move our minimum PHP version to 4.3.2. Probably not too bad, see http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006....
But, as you say, there would still be the hijacking problem, so let's say that regenerating session id could be added in 2.9.x as an added security measure, not for allowing users to disable their cookies.
If we really make official the cookies restriction, I would like to document this and release 2.8.2 in a few days.
Marc
Binding an IP address should IMHO be prevented, it's just security by obscurity and no "real" mean against intrusion.
Session hijacking is a more definite problem. IMHO exposing the session ID in the URL must be avoided at all costs. Thus, only allowing cookie-enabled logins is IMHO the best way to deal with it. PMA is a sensible application, thus specific browser settings should be applied to it. You can't expect a user to have security on his databases if he disallows cookies, so we shouldn't support this mode. That's my take, of course. ;)
Best regards, Garvin
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEfZbOUZolOPYrUhYRAq65AKCvkx4kv4YocegmKMArSiM6Q2Y8nwCgvJ65 6UBlThf6WTs7ly7QyfzHnXk= =y+sf -----END PGP SIGNATURE-----