[Phpmyadmin-devel] sessions/cookies vs. javascript

[Sebastian Mendel]

Garvin Hicking wrote:
> Hi!
> 
> (I can only agree to what Michal said - it's only not implemented because nobody
> got down to do it)
> 
>> If you're going to implement this, do not forget that sessions should
>> work also without cookies enabled.
> 
> There is also a problem about which Marc and I talked in the past. We should not
> store sensitive information like passwords in sessions, as usually all session
> data can be accessed from untrusted users on the same webserver, as session
> files are readable for everyone usually.

securing session data/handling is part of the system not of the 
application (like some days ago someone said window hijacking is part of 
the browser not the app)

even with open_basedir disabled,
to open a file from the tmp dir you need the exact name, as normaly 
listing dir contents is not allowed

and guessing the right session id is nearly impossible:

---
; Select a hash function
; 0: MD5   (128 bits)
; 1: SHA-1 (160 bits)
session.hash_function = 0

; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
;
; 4 bits: 0-9, a-f
; 5 bits: 0-9, a-v
; 6 bits: 0-9, a-z, A-Z, "-", ","
session.hash_bits_per_character = 5
---



> Also we need to think about what bad can happen when someone hijacks your
> session id, or uses session fixation.

authentication information does not require to be stored in the session!
authentication system can stay as it is!

-- 
Sebastian Mendel

www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet