[Phpmyadmin-devel] Re: token and cookies

Sebastian Mendel lists at sebastianmendel.de
Thu Jun 1 00:46:01 CEST 2006

Micheal Winger schrieb:
> You guys really need a secure forum to talk through, heh.
> Here is a suggestion (keep in mind though I am not entirely aware of 
> security flaws of how things are done with stuff.. and you guys can 
> entirely dismiss this idea if you see fit).
> When a user first logs in, it gives them a url to use (one specific to 
> that computer alone) but of course that also then poses the problem of 
> computers on a network, if it is able to grab network IP's you could 
> match that as well, then phpMyAdmin would lock that url code with that 
> IP. this code would then be included on all urls inside the use of 
> phpMyAdmin to keep track of the user. If the user then goes to use 
> phpMyAdmin on another computer, they would have to log another code for 
> that computer.

you cannot bind the ip to the session, as you cannot ensure that a user 
uses only one IP (proxy array) and not all proxies deliver the 
forwarded-for header.

> This at least takes away the possibility of people stealing other 
> peoples urls as every time the page is loaded it would be verified, 
> however.. this method also imposes an obligation on the user to either 
> bookmark the url and not lose it, or to keep it somewhere safe where 
> they wouldn't misplace it. Such a url would also have to be lengthy in 
> order to have a large amount of people using the system.
> This could be an option in the config as a seperate method? I don't know 
> if there are security flaws or any undesired measures in here, you guys 
> can do with it what you will.

More information about the Developers mailing list