[Phpmyadmin-devel] sessions/cookies vs. javascript

Sebastian Mendel lists at sebastianmendel.de
Tue Sep 27 06:14:41 CEST 2005

Marc Delisle wrote:
> Garvin Hicking a écrit :
>> Hi!
>> (I can only agree to what Michal said - it's only not implemented 
>> because nobody
>> got down to do it)
>>> If you're going to implement this, do not forget that sessions should
>>> work also without cookies enabled.
> I agree with sessions. Even if we ask as a requirement PHP 4.1.0 

from the PMA docu:

You need PHP 4.1.0 or newer (*)

;-), nothing changes ...

> minimum, maybe it's better to have the choice of using sessions or not. 
> We could look the possibility of using some kind of plugin mechanism for 
> passing data.

>> There is also a problem about which Marc and I talked in the past. We 
>> should not
>> store sensitive information like passwords in sessions, as usually all 
>> session
>> data can be accessed from untrusted users on the same webserver, as 
>> session
>> files are readable for everyone usually.
> We currently use blowfish for hiding user name and password in the 
> cookies, so we should continue this way with sessions. But other 
> sensitive data contained in a query (a social security number, for 
> example) may find it's way in session data, so we have to deal with 
> this. Encrypt everything? With mcrypt it would not be too bad, without 
> mcrypt, ouch.

you speaking about storing results in the session?

in most cases, i think, it would not be faster storing a result in the
session than query the database again! - so store results in the session
makes no sense - only for slow querys - and this can be a configuration
thing -


Sebastian Mendel

www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet

More information about the Developers mailing list