[Phpmyadmin-devel] Re: token and cookies
Sebastian Mendel
lists at sebastianmendel.de
Wed May 31 06:21:10 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Garvin Hicking schrieb:
> Hi!
>
>> can't we implement some of the countermeasures as explained in section 5 of this
>> document? For example, binding the legitimate user's IP address to our session
>> data?
>
> The most easy way to counter session fixation is to just perform a
> session_regenerate_id() after the login. This way, any "fixated" session will be
> changed to a random session ID after the credentials are entered.
>
> Binding an IP address should IMHO be prevented, it's just security by obscurity
> and no "real" mean against intrusion.
and is not possible, user may switch proxies between requests (AOL) and
proxies does not always provide Forwarded-For headers.
- --
Sebastian Mendel
www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFEfZkLX/0lClpZDr4RAq+LAJ9iMqM9wU3ppksNm216rBI8Henk/ACggQVp
h/CWL2Dj7LOIVF4ui4/lZUI=
=ChHJ
-----END PGP SIGNATURE-----
More information about the Developers
mailing list