[Phpmyadmin-devel] Re: token and cookies
Michal Čihař
michal at cihar.com
Tue May 2 02:44:04 CEST 2006
On Fri, 28 Apr 2006 10:38:36 +0200
Sebastian Mendel <lists at sebastianmendel.de> wrote:
> Michal Čihař schrieb:
> > On Thu, 27 Apr 2006 15:29:31 +0200
> > Sebastian Mendel <lists at sebastianmendel.de> wrote:
> >
> >> Michal Čihař schrieb:
> >>> On Thu, 27 Apr 2006 15:18:34 +0200
> >>> Sebastian Mendel <lists at sebastianmendel.de> wrote:
> >>>
> >>>> for security reasons we decided to not support url session ids
> >>> What's problem with that?
> >> session fixation and hijacking?
> >
> > Hmmm, what is better? This or XSRF or cookie requirement. Looks like we
> > have to make choice.
>
> whether url sid is allowed or not is set in session.inc.php
IMHO it is allowed there:
// but not all user allow cookies
ini_set('session.use_only_cookies', false);
ini_set('session.use_trans_sid', true);
Or am I missing some other ini option that disables it completely?
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20060502/58254fc1/attachment.sig>
More information about the Developers
mailing list