[Phpmyadmin-devel] speed improvement in auth_type cookie!

Marc Delisle DelislMa at CollegeSherbrooke.qc.ca
Wed Nov 24 09:28:33 CET 2004


Alexander M. Turek wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi there,
> 
> Marc Delisle wrote:
> 
>>Garvin Hicking a ├ęcrit:
>>
>>
>>>About the LoginCookieValidity - a question: Since I don'T use cookie
>>>auth, is it
>>>possible for users to set LoginCookieValidity off (say to 0) and then the
>>>en/decoding of the cookie is not always performed?
>>
>>Hi Garvin,
>>this would mean that a stolen cookie can be used to authenticate.
> 
> 
> First of all, storing the cookie savely is the client's task. If by
> "stolen cookie" you are talking about someone sniffing my traffic and
> extracting the encrypted password: Well that's what SSL is made for. On
> top of that: On login, the user has to send his password unencrypted
> through the wire: If I wanted to hack someone, I'd grab the password
> there instead of "steal" the cookie.

Hi Alexander,
no, I am talking about XSS techniques which can be used to get cookies.
Obviously we are improving phpMyAdmin against those, but PMASA-2004-3
shows that there probably remains some parts of phpMyAdmin not immune
to XSS.

> 
> We cannot always save the world. The encryption feature is a nice
> possibility to make PMA a bit more secure for users of Microsoft's
> Internet Exploiter, but if it slows down PMA that much, we should give
> the users the ability to switch it off.

With the new mcrypt module, the slowdown problem is AFAIK solved. I 
would prefer suggesting users (sysadmins) to implement this extension
on their servers if it's not already done, than lowering the security
of encrypted cookies.

> 
> Alternatively, we could maybe implement an auth plugin that uses
> sessions and deprecate the cookie plugin step by step. >

Yes we have been talking about this for some time. But remains
the point of stealing session data, see for example:
http://www.webkreator.com/php/configuration/php-session-security.html

So I would prefer to encrypt username and password stored in the 
session. Or at least inform users if we can detect that the way session
data is stored is too much open to intrusion.

Marc

> Regards,
> 
> AMT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iD8DBQFBpL2z8c/ssWf/SMcRAmWPAJ0bmrrUqFnoB/VevSYUquulPpx2UACfYHR2
> 4YZNVSDA9Wkcaiv5j/ZWKlM=
> =DeAf
> -----END PGP SIGNATURE-----
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
> 






More information about the Developers mailing list