[Phpmyadmin-devel] sessions/cookies vs. javascript

Sebastian Mendel lists at sebastianmendel.de
Tue Sep 27 05:06:53 CEST 2005

Garvin Hicking wrote:
> Hi!
> (I can only agree to what Michal said - it's only not implemented because nobody
> got down to do it)
>> If you're going to implement this, do not forget that sessions should
>> work also without cookies enabled.
> There is also a problem about which Marc and I talked in the past. We should not
> store sensitive information like passwords in sessions, as usually all session
> data can be accessed from untrusted users on the same webserver, as session
> files are readable for everyone usually.

securing session data/handling is part of the system not of the 
application (like some days ago someone said window hijacking is part of 
the browser not the app)

even with open_basedir disabled,
to open a file from the tmp dir you need the exact name, as normaly 
listing dir contents is not allowed

and guessing the right session id is nearly impossible:

; Select a hash function
; 0: MD5   (128 bits)
; 1: SHA-1 (160 bits)
session.hash_function = 0

; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
; 4 bits: 0-9, a-f
; 5 bits: 0-9, a-v
; 6 bits: 0-9, a-z, A-Z, "-", ","
session.hash_bits_per_character = 5

> Also we need to think about what bad can happen when someone hijacks your
> session id, or uses session fixation.

authentication information does not require to be stored in the session!
authentication system can stay as it is!

Sebastian Mendel

www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet

More information about the Developers mailing list