[Phpmyadmin-devel] sessions/cookies vs. javascript
Sebastian Mendel
lists at sebastianmendel.de
Tue Sep 27 06:14:41 CEST 2005
Marc Delisle wrote:
> Garvin Hicking a écrit :
>> Hi!
>>
>> (I can only agree to what Michal said - it's only not implemented
>> because nobody
>> got down to do it)
>>
>>
>>> If you're going to implement this, do not forget that sessions should
>>> work also without cookies enabled.
>>
>
> I agree with sessions. Even if we ask as a requirement PHP 4.1.0
from the PMA docu:
You need PHP 4.1.0 or newer (*)
;-), nothing changes ...
> minimum, maybe it's better to have the choice of using sessions or not.
> We could look the possibility of using some kind of plugin mechanism for
> passing data.
>> There is also a problem about which Marc and I talked in the past. We
>> should not
>> store sensitive information like passwords in sessions, as usually all
>> session
>> data can be accessed from untrusted users on the same webserver, as
>> session
>> files are readable for everyone usually.
>
> We currently use blowfish for hiding user name and password in the
> cookies, so we should continue this way with sessions. But other
> sensitive data contained in a query (a social security number, for
> example) may find it's way in session data, so we have to deal with
> this. Encrypt everything? With mcrypt it would not be too bad, without
> mcrypt, ouch.
you speaking about storing results in the session?
in most cases, i think, it would not be faster storing a result in the
session than query the database again! - so store results in the session
makes no sense - only for slow querys - and this can be a configuration
thing -
scfg['SaveSlowQueryResultsInSession']
--
Sebastian Mendel
www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
More information about the Developers
mailing list