[Phpmyadmin-devel] Re: token and cookies

[Garvin Hicking]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

> can't we implement some of the countermeasures as explained in section 5 of this
> document? For example, binding the legitimate user's IP address to our session
> data?

The most easy way to counter session fixation is to just perform a
session_regenerate_id() after the login. This way, any "fixated" session will be
changed to a random session ID after the credentials are entered.

Binding an IP address should IMHO be prevented, it's just security by obscurity
and no "real" mean against intrusion.

Session hijacking is a more definite problem. IMHO exposing the session ID in
the URL must be avoided at all costs. Thus, only allowing cookie-enabled logins
is IMHO the best way to deal with it. PMA is a sensible application, thus
specific browser settings should be applied to it. You can't expect a user to
have security on his databases if he disallows cookies, so we shouldn't support
this mode. That's my take, of course. ;)

Best regards,
Garvin

- --
++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEfZbOUZolOPYrUhYRAq65AKCvkx4kv4YocegmKMArSiM6Q2Y8nwCgvJ65
6UBlThf6WTs7ly7QyfzHnXk=
=y+sf
-----END PGP SIGNATURE-----