[Phpmyadmin-devel] Re: token and cookies

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Wed May 31 05:53:01 CEST 2006


Sebastian Mendel a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Marc Delisle schrieb:
>> Michal ?iha? a écrit :
>>> On Fri, 28 Apr 2006 10:38:36 +0200
>>> Sebastian Mendel <lists at sebastianmendel.de> wrote:
>>>
>>>> whether url sid is allowed or not is set in session.inc.php
>>>> possible we could add a $cfg to allow url sid - so it is the choice
>>>> of the user if he allows sid via url or not
>>> Yes, we should add config option for that. And add documentation note
>>> that we require cookies unless this is enabled.
>>>
>> I am not really in favor of this idea. I guess it's the old security
>> versus usability issue.
>>
>> On one hand, we have users who have control over their browser and who,
>> for some reason, disable cookies.
> 
> if i deny someone to remember my face i cannot blame on him asking me
> everytime who am i!
> 
> 
>> On the other hand, many users are using PMA on a shared installation, on
>> which they have no control about PMA config.
>>
>> In practice, is the threat about sessions fixation/hijacking real?
> 
> fixation: it is real, and very easy!
> 
> domain.tld/script.php?PHPSID=1234
> 
> and now i send you this link you click it and your session is run under
> the id 1234 - now i wait till you logged in and i can use this session
> id to call the page by myself and be logged in with your details
> 
> but of course this is not possible with PMA currently - as the auth is
> not handled with session!
> 
> hijacking same as above, just you don't send the url but catch it
> somewhere, f.e. at the router or proxy - did you never tried to copy the
> url from one brwoser to another? with cookie based session ids this will
> not work you found yourself always on the login screen, with url based
> session id it works!
> 
> 

Thanks Sebastian,

can't we implement some of the countermeasures as explained in section 5 
of this document? For example, binding the legitimate user's IP address 
to our session data?

http://www.acros.si/papers/session_fixation.pdf

Marc





More information about the Developers mailing list