[Phpmyadmin-devel] sessions/cookies vs. javascript

Garvin Hicking phpmyadmin at supergarv.de
Tue Sep 27 05:27:04 CEST 2005


> securing session data/handling is part of the system not of the application
> (like some days ago someone said window hijacking is part of
> the browser not the app)

We would make it too easy for us to say so, especially if we are able to bypass
this. If we really just use PHP sessions and pay no attention to their security,
we need to make phpMyAdmin still work without sessions. Most of the shared
hosting providers to not ensure different session.save_path settings...

> even with open_basedir disabled, to open a file from the tmp dir you need the
> exact name, as normaly listing dir contents is not allowed

Why do you think that? I can open and list my /tmp directory on all 3 hosts I
just checked:

$d = opendir('/tmp');
while (($file = readdir($d)) !== false) {
echo $file . "\n";

> and guessing the right session id is nearly impossible:

That's true of course. :)

>> Also we need to think about what bad can happen when someone hijacks your
>> session id, or uses session fixation.
> authentication information does not require to be stored in the session!
> authentication system can stay as it is!

Yes, I think it's better to rely on the current system than to use a (much
easier) PHP session auth.


++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

More information about the Developers mailing list