[Phpmyadmin-devel] Re: token and cookies

[Sebastian Mendel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marc Delisle schrieb:
> Michal ?iha? a écrit :
>> On Fri, 28 Apr 2006 10:38:36 +0200
>> Sebastian Mendel <lists at sebastianmendel.de> wrote:
>>
>>> whether url sid is allowed or not is set in session.inc.php
>>> possible we could add a $cfg to allow url sid - so it is the choice
>>> of the user if he allows sid via url or not
>>
>> Yes, we should add config option for that. And add documentation note
>> that we require cookies unless this is enabled.
>>
> 
> I am not really in favor of this idea. I guess it's the old security
> versus usability issue.
> 
> On one hand, we have users who have control over their browser and who,
> for some reason, disable cookies.

if i deny someone to remember my face i cannot blame on him asking me
everytime who am i!


> On the other hand, many users are using PMA on a shared installation, on
> which they have no control about PMA config.
> 
> In practice, is the threat about sessions fixation/hijacking real?

fixation: it is real, and very easy!

domain.tld/script.php?PHPSID=1234

and now i send you this link you click it and your session is run under
the id 1234 - now i wait till you logged in and i can use this session
id to call the page by myself and be logged in with your details

but of course this is not possible with PMA currently - as the auth is
not handled with session!

hijacking same as above, just you don't send the url but catch it
somewhere, f.e. at the router or proxy - did you never tried to copy the
url from one brwoser to another? with cookie based session ids this will
not work you found yourself always on the login screen, with url based
session id it works!


- --
Sebastian Mendel

www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFEfYtPX/0lClpZDr4RAjwkAKCRNY7U3UH+Njntzsh4JVT1nU81XQCaA7QT
M/WxxRnv7OfUIxzUXaHkCxU=
=3AJe
-----END PGP SIGNATURE-----