[Phpmyadmin-devel] Re: token and cookies

Sebastian Mendel lists at sebastianmendel.de
Wed May 31 06:21:10 CEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Garvin Hicking schrieb:
> Hi!
> 
>> can't we implement some of the countermeasures as explained in section 5 of this
>> document? For example, binding the legitimate user's IP address to our session
>> data?
> 
> The most easy way to counter session fixation is to just perform a
> session_regenerate_id() after the login. This way, any "fixated" session will be
> changed to a random session ID after the credentials are entered.
> 
> Binding an IP address should IMHO be prevented, it's just security by obscurity
> and no "real" mean against intrusion.

and is not possible, user may switch proxies between requests (AOL) and
proxies does not always provide Forwarded-For headers.



- --
Sebastian Mendel

www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFEfZkLX/0lClpZDr4RAq+LAJ9iMqM9wU3ppksNm216rBI8Henk/ACggQVp
h/CWL2Dj7LOIVF4ui4/lZUI=
=ChHJ
-----END PGP SIGNATURE-----




More information about the Developers mailing list