[Phpmyadmin-devel] Re: token and cookies
lists at sebastianmendel.de
Wed May 31 06:21:10 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Garvin Hicking schrieb:
>> can't we implement some of the countermeasures as explained in section 5 of this
>> document? For example, binding the legitimate user's IP address to our session
> The most easy way to counter session fixation is to just perform a
> session_regenerate_id() after the login. This way, any "fixated" session will be
> changed to a random session ID after the credentials are entered.
> Binding an IP address should IMHO be prevented, it's just security by obscurity
> and no "real" mean against intrusion.
and is not possible, user may switch proxies between requests (AOL) and
proxies does not always provide Forwarded-For headers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
-----END PGP SIGNATURE-----
More information about the Developers