[Phpmyadmin-devel] Re: token and cookies

[Marc Delisle]

Garvin Hicking a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi!
> 
>> can't we implement some of the countermeasures as explained in section 5 of this
>> document? For example, binding the legitimate user's IP address to our session
>> data?
> 
> The most easy way to counter session fixation is to just perform a
> session_regenerate_id() after the login. This way, any "fixated" session will be
> changed to a random session ID after the credentials are entered.

Ok, but this would move our minimum PHP version to 4.3.2. Probably not 
too bad, see
http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006.php

But, as you say, there would still be the hijacking problem, so let's 
say that regenerating session id could be added in 2.9.x as an added 
security measure, not for allowing users to disable their cookies.

If we really make official the cookies restriction, I would like to 
document this and release 2.8.2 in a few days.

Marc

> 
> Binding an IP address should IMHO be prevented, it's just security by obscurity
> and no "real" mean against intrusion.
> 
> Session hijacking is a more definite problem. IMHO exposing the session ID in
> the URL must be avoided at all costs. Thus, only allowing cookie-enabled logins
> is IMHO the best way to deal with it. PMA is a sensible application, thus
> specific browser settings should be applied to it. You can't expect a user to
> have security on his databases if he disallows cookies, so we shouldn't support
> this mode. That's my take, of course. ;)
> 
> Best regards,
> Garvin
> 
> - --
> ++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
> ++ Developer of   | www.phpMyAdmin.net      | www.s9y.org
> 
> ++ Make me happy  | http://wishes.garv.in
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> 
> iD8DBQFEfZbOUZolOPYrUhYRAq65AKCvkx4kv4YocegmKMArSiM6Q2Y8nwCgvJ65
> 6UBlThf6WTs7ly7QyfzHnXk=
> =y+sf
> -----END PGP SIGNATURE-----
> 
>