Micheal Winger schrieb:

You guys really need a secure forum to talk through, heh.

Here is a suggestion (keep in mind though I am not entirely aware of security flaws of how things are done with stuff.. and you guys can entirely dismiss this idea if you see fit).

When a user first logs in, it gives them a url to use (one specific to that computer alone) but of course that also then poses the problem of computers on a network, if it is able to grab network IP's you could match that as well, then phpMyAdmin would lock that url code with that IP. this code would then be included on all urls inside the use of phpMyAdmin to keep track of the user. If the user then goes to use phpMyAdmin on another computer, they would have to log another code for that computer.

you cannot bind the ip to the session, as you cannot ensure that a user uses only one IP (proxy array) and not all proxies deliver the forwarded-for header.

This at least takes away the possibility of people stealing other peoples urls as every time the page is loaded it would be verified, however.. this method also imposes an obligation on the user to either bookmark the url and not lose it, or to keep it somewhere safe where they wouldn't misplace it. Such a url would also have to be lengthy in order to have a large amount of people using the system.

This could be an option in the config as a seperate method? I don't know if there are security flaws or any undesired measures in here, you guys can do with it what you will.