-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Garvin Hicking schrieb:
Hi Marc!
I have not read the source, so my question is: When not using cookies and having URL-based sessions, where else would you store another authentication token?
Do you mean a future new auth mechanism?
No, I was talking about your proposal :)
Currently we have published that enabling cookies was only required with auth_type = 'cookie'. I am in favor of asking to enable cookies in all cases, it's just that we have to publish it evidently and do it soon, like in 2.8.2.
I think publishing that is a good thing.
I don't think this is possible, because if a user doesn't have cookies, all there's left is HTTP Authentication [which only works with mod_php and not the CGI] and the URI. The URI can be hijacked, so...there's nothing left to store data in? All storage in $_SESSION will be available to the session-ID hijacker...
config.inc.php can store fixed auth data and we support this...
Yes, but that would still mean that with a hijacked session ID in the URL you could do everything that the "real" person could do - and you were explicitly
you don't need to hijack this session - the login credentials are stored in the cfg, you just need to open the url!
asking if there is a way to:
- Do not use cookies
- Use session storage
- Use session ID propagation through URL
- Be not subject to session hijacking
IMHO there is no way to make that happen.
at the moment this is possible only with http-auth
with session id regenerating it is fare more difficult to hijack a session - but not impossible
it seems to me that you forget that session and login is not the same in PMA (at least at the moment)!
at the moment an user has only the choice between cookie-, http- or config-auth - but all this has nothing to do with session!
- -- Sebastian Mendel
www.sebastianmendel.de