[Phpmyadmin-devel] speed improvement in auth_type cookie!
Alexander M. Turek
me at derrabus.de
Wed Nov 24 08:04:31 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
Marc Delisle wrote:
> Garvin Hicking a écrit:
>> About the LoginCookieValidity - a question: Since I don'T use cookie
>> auth, is it
>> possible for users to set LoginCookieValidity off (say to 0) and then the
>> en/decoding of the cookie is not always performed?
> Hi Garvin,
> this would mean that a stolen cookie can be used to authenticate.
First of all, storing the cookie savely is the client's task. If by
"stolen cookie" you are talking about someone sniffing my traffic and
extracting the encrypted password: Well that's what SSL is made for. On
top of that: On login, the user has to send his password unencrypted
through the wire: If I wanted to hack someone, I'd grab the password
there instead of "steal" the cookie.
We cannot always save the world. The encryption feature is a nice
possibility to make PMA a bit more secure for users of Microsoft's
Internet Exploiter, but if it slows down PMA that much, we should give
the users the ability to switch it off.
Alternatively, we could maybe implement an auth plugin that uses
sessions and deprecate the cookie plugin step by step.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Developers