[Phpmyadmin-devel] Re: token and cookies
Sebastian Mendel
lists at sebastianmendel.de
Thu Jun 1 00:46:01 CEST 2006
Micheal Winger schrieb:
> You guys really need a secure forum to talk through, heh.
>
> Here is a suggestion (keep in mind though I am not entirely aware of
> security flaws of how things are done with stuff.. and you guys can
> entirely dismiss this idea if you see fit).
>
> When a user first logs in, it gives them a url to use (one specific to
> that computer alone) but of course that also then poses the problem of
> computers on a network, if it is able to grab network IP's you could
> match that as well, then phpMyAdmin would lock that url code with that
> IP. this code would then be included on all urls inside the use of
> phpMyAdmin to keep track of the user. If the user then goes to use
> phpMyAdmin on another computer, they would have to log another code for
> that computer.
you cannot bind the ip to the session, as you cannot ensure that a user
uses only one IP (proxy array) and not all proxies deliver the
forwarded-for header.
> This at least takes away the possibility of people stealing other
> peoples urls as every time the page is loaded it would be verified,
> however.. this method also imposes an obligation on the user to either
> bookmark the url and not lose it, or to keep it somewhere safe where
> they wouldn't misplace it. Such a url would also have to be lengthy in
> order to have a large amount of people using the system.
>
> This could be an option in the config as a seperate method? I don't know
> if there are security flaws or any undesired measures in here, you guys
> can do with it what you will.
More information about the Developers
mailing list