[Phpmyadmin-devel] Re: token and cookies
Sebastian Mendel
lists at sebastianmendel.de
Fri Apr 28 01:41:07 CEST 2006
Michal Čihař schrieb:
> On Thu, 27 Apr 2006 15:29:31 +0200
> Sebastian Mendel <lists at sebastianmendel.de> wrote:
>
>> Michal Čihař schrieb:
>>> On Thu, 27 Apr 2006 15:18:34 +0200
>>> Sebastian Mendel <lists at sebastianmendel.de> wrote:
>>>
>>>> for security reasons we decided to not support url session ids
>>> What's problem with that?
>> session fixation and hijacking?
>
> Hmmm, what is better? This or XSRF or cookie requirement. Looks like we
> have to make choice.
whether url sid is allowed or not is set in session.inc.php
possible we could add a $cfg to allow url sid - so it is the choice of
the user if he allows sid via url or not
--
Sebastian Mendel
www.sebastianmendel.de
More information about the Developers
mailing list