[Phpmyadmin-devel] Re: token and cookies
lists at sebastianmendel.de
Wed May 31 07:17:03 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Marc Delisle schrieb:
> Garvin Hicking a écrit :
>>> can't we implement some of the countermeasures as explained in
>>> section 5 of this
>>> document? For example, binding the legitimate user's IP address to
>>> our session
>> The most easy way to counter session fixation is to just perform a
>> session_regenerate_id() after the login. This way, any "fixated"
>> session will be
>> changed to a random session ID after the credentials are entered.
> Ok, but this would move our minimum PHP version to 4.3.2. Probably not
> too bad, see
you can do this without session_regenerate_id() too
> But, as you say, there would still be the hijacking problem, so let's
> say that regenerating session id could be added in 2.9.x as an added
> security measure, not for allowing users to disable their cookies.
but we have no hijacking problem - the login is not stored in the session!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
-----END PGP SIGNATURE-----
More information about the Developers