[Phpmyadmin-devel] sessions/cookies vs. javascript
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Tue Sep 27 06:24:44 CEST 2005
Sebastian Mendel a écrit :
> Marc Delisle wrote:
>
>> Garvin Hicking a écrit :
>>
>>> Hi!
>>>
>>> (I can only agree to what Michal said - it's only not implemented
>>> because nobody
>>> got down to do it)
>>>
>>>
>>>> If you're going to implement this, do not forget that sessions should
>>>> work also without cookies enabled.
>>>
>>>
>>
>> I agree with sessions. Even if we ask as a requirement PHP 4.1.0
>
>
> from the PMA docu:
>
> You need PHP 4.1.0 or newer (*)
>
> ;-), nothing changes ...
>
>> minimum, maybe it's better to have the choice of using sessions or
>> not. We could look the possibility of using some kind of plugin
>> mechanism for passing data.
>
>
>
>>> There is also a problem about which Marc and I talked in the past. We
>>> should not
>>> store sensitive information like passwords in sessions, as usually
>>> all session
>>> data can be accessed from untrusted users on the same webserver, as
>>> session
>>> files are readable for everyone usually.
>>
>>
>> We currently use blowfish for hiding user name and password in the
>> cookies, so we should continue this way with sessions. But other
>> sensitive data contained in a query (a social security number, for
>> example) may find it's way in session data, so we have to deal with
>> this. Encrypt everything? With mcrypt it would not be too bad, without
>> mcrypt, ouch.
>
>
> you speaking about storing results in the session?
Not results but queries: select * from employee where ssn=123456789
>
> in most cases, i think, it would not be faster storing a result in the
> session than query the database again! - so store results in the session
> makes no sense - only for slow querys - and this can be a configuration
> thing -
>
> scfg['SaveSlowQueryResultsInSession']
>
>
More information about the Developers
mailing list