[Phpmyadmin-devel] Re: token and cookies

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Wed May 31 04:40:02 CEST 2006

Michal Čihař a écrit :
> On Fri, 28 Apr 2006 10:38:36 +0200
> Sebastian Mendel <lists at sebastianmendel.de> wrote:
>> whether url sid is allowed or not is set in session.inc.php
>> possible we could add a $cfg to allow url sid - so it is the choice of 
>> the user if he allows sid via url or not
> Yes, we should add config option for that. And add documentation note
> that we require cookies unless this is enabled.

I am not really in favor of this idea. I guess it's the old security 
versus usability issue.

On one hand, we have users who have control over their browser and who, 
for some reason, disable cookies.

On the other hand, many users are using PMA on a shared installation, on 
which they have no control about PMA config.

In practice, is the threat about sessions fixation/hijacking real?

P.S. In 2.8.1 we now have this cookies restriction but I don't think 
it's documented.



More information about the Developers mailing list