[Phpmyadmin-devel] Re: token and cookies

[Garvin Hicking]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marc!

>> The most easy way to counter session fixation is to just perform a
>> session_regenerate_id() after the login. This way, any "fixated" session will
>> be changed to a random session ID after the credentials are entered.
>
> Ok, but this would move our minimum PHP version to 4.3.2. Probably not
> too bad, see
> http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006.php

session_regenerate_id() can be emulated with
session_start()...session_destroy()...session_start() commands for earlier
versions, where you just copy the $_SESSION array to a temporary array, restart
the session and be dealt with.

> But, as you say, there would still be the hijacking problem, so let's
> say that regenerating session id could be added in 2.9.x as an added security
> measure, not for allowing users to disable their cookies.

Right, session fixation is only a (real)problem when URLs are used. So if we
officially only support cookie-enabled sessions, the session regeneration would
actually not even be necessary at all. But it would prevent possible future
abuse having that in 2.9.x.

Best regards,
Garvin

- --
++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEfaUIUZolOPYrUhYRAm8qAKCFfKfMVjd0Pv/iHUEP52A2ZWiUogCgsq3Q
dbim5EY6PVWlQCyX/+1cxuo=
=A+Ap
-----END PGP SIGNATURE-----