[Phpmyadmin-devel] Re: token and cookies
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Wed May 31 07:23:05 CEST 2006
Sebastian Mendel a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marc Delisle schrieb:
>> Garvin Hicking a écrit :
>> Hi!
>>
>>>> can't we implement some of the countermeasures as explained in
>>>> section 5 of this
>>>> document? For example, binding the legitimate user's IP address to
>>>> our session
>>>> data?
>>> The most easy way to counter session fixation is to just perform a
>>> session_regenerate_id() after the login. This way, any "fixated"
>>> session will be
>>> changed to a random session ID after the credentials are entered.
>> Ok, but this would move our minimum PHP version to 4.3.2. Probably not
>> too bad, see
>> http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006.php
>
> you can do this without session_regenerate_id() too
>
>
>> But, as you say, there would still be the hijacking problem, so let's
>> say that regenerating session id could be added in 2.9.x as an added
>> security measure, not for allowing users to disable their cookies.
>
> but we have no hijacking problem - the login is not stored in the session!
You're right. I forgot this because you talked about hijacking in a
previous message :)
So, with a regenerating technique we could use URL-based session id and
avoid our cookie restriction? :)
Marc
>
>
>
> - --
> Sebastian Mendel
>
> www.sebastianmendel.de
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (MingW32)
>
> iD8DBQFEfaYlX/0lClpZDr4RAmRgAJ44J3X8iPWSIJNBr4h55L27WQZSbQCgihr2
> fU1kyrTtuRiDKNjS+9CZ5pQ=
> =d9NF
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>
More information about the Developers
mailing list