[Phpmyadmin-devel] Re: token and cookies
Sebastian Mendel
lists at sebastianmendel.de
Wed May 31 07:17:03 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc Delisle schrieb:
> Garvin Hicking a écrit :
> Hi!
>
>>> can't we implement some of the countermeasures as explained in
>>> section 5 of this
>>> document? For example, binding the legitimate user's IP address to
>>> our session
>>> data?
>>
>> The most easy way to counter session fixation is to just perform a
>> session_regenerate_id() after the login. This way, any "fixated"
>> session will be
>> changed to a random session ID after the credentials are entered.
>
> Ok, but this would move our minimum PHP version to 4.3.2. Probably not
> too bad, see
> http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006.php
you can do this without session_regenerate_id() too
> But, as you say, there would still be the hijacking problem, so let's
> say that regenerating session id could be added in 2.9.x as an added
> security measure, not for allowing users to disable their cookies.
but we have no hijacking problem - the login is not stored in the session!
- --
Sebastian Mendel
www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFEfaYlX/0lClpZDr4RAmRgAJ44J3X8iPWSIJNBr4h55L27WQZSbQCgihr2
fU1kyrTtuRiDKNjS+9CZ5pQ=
=d9NF
-----END PGP SIGNATURE-----
More information about the Developers
mailing list