[Phpmyadmin-devel] sessions/cookies vs. javascript
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Tue Sep 27 05:58:08 CEST 2005
Garvin Hicking a écrit :
> Hi!
>
> (I can only agree to what Michal said - it's only not implemented because nobody
> got down to do it)
>
>
>>If you're going to implement this, do not forget that sessions should
>>work also without cookies enabled.
>
I agree with sessions. Even if we ask as a requirement PHP 4.1.0
minimum, maybe it's better to have the choice of using sessions or not.
We could look the possibility of using some kind of plugin mechanism for
passing data.
>
> There is also a problem about which Marc and I talked in the past. We should not
> store sensitive information like passwords in sessions, as usually all session
> data can be accessed from untrusted users on the same webserver, as session
> files are readable for everyone usually.
>
We currently use blowfish for hiding user name and password in the
cookies, so we should continue this way with sessions. But other
sensitive data contained in a query (a social security number, for
example) may find it's way in session data, so we have to deal with
this. Encrypt everything? With mcrypt it would not be too bad, without
mcrypt, ouch.
> Also we need to think about what bad can happen when someone hijacks your
> session id, or uses session fixation.
>
> Regards,
> Garvin
>
More information about the Developers
mailing list