[Phpmyadmin-devel] sessions/cookies vs. javascript

Garvin Hicking phpmyadmin at supergarv.de
Tue Sep 27 04:44:58 CEST 2005


Hi!

(I can only agree to what Michal said - it's only not implemented because nobody
got down to do it)

> If you're going to implement this, do not forget that sessions should
> work also without cookies enabled.

There is also a problem about which Marc and I talked in the past. We should not
store sensitive information like passwords in sessions, as usually all session
data can be accessed from untrusted users on the same webserver, as session
files are readable for everyone usually.

Also we need to think about what bad can happen when someone hijacks your
session id, or uses session fixation.

Regards,
Garvin

-- 
++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in





More information about the Developers mailing list