[Phpmyadmin-devel] sessions/cookies vs. javascript

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Tue Sep 27 05:58:08 CEST 2005


Garvin Hicking a écrit :
> Hi!
> 
> (I can only agree to what Michal said - it's only not implemented because nobody
> got down to do it)
> 
> 
>>If you're going to implement this, do not forget that sessions should
>>work also without cookies enabled.
> 

I agree with sessions. Even if we ask as a requirement PHP 4.1.0 
minimum, maybe it's better to have the choice of using sessions or not. 
We could look the possibility of using some kind of plugin mechanism for 
passing data.

> 
> There is also a problem about which Marc and I talked in the past. We should not
> store sensitive information like passwords in sessions, as usually all session
> data can be accessed from untrusted users on the same webserver, as session
> files are readable for everyone usually.
> 

We currently use blowfish for hiding user name and password in the 
cookies, so we should continue this way with sessions. But other 
sensitive data contained in a query (a social security number, for 
example) may find it's way in session data, so we have to deal with 
this. Encrypt everything? With mcrypt it would not be too bad, without 
mcrypt, ouch.

> Also we need to think about what bad can happen when someone hijacks your
> session id, or uses session fixation.
> 
> Regards,
> Garvin
> 





More information about the Developers mailing list