[Phpmyadmin-devel] Re: token and cookies
Marc.Delisle at cegepsherbrooke.qc.ca
Wed May 31 07:23:05 CEST 2006
Sebastian Mendel a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Marc Delisle schrieb:
>> Garvin Hicking a écrit :
>>>> can't we implement some of the countermeasures as explained in
>>>> section 5 of this
>>>> document? For example, binding the legitimate user's IP address to
>>>> our session
>>> The most easy way to counter session fixation is to just perform a
>>> session_regenerate_id() after the login. This way, any "fixated"
>>> session will be
>>> changed to a random session ID after the credentials are entered.
>> Ok, but this would move our minimum PHP version to 4.3.2. Probably not
>> too bad, see
> you can do this without session_regenerate_id() too
>> But, as you say, there would still be the hijacking problem, so let's
>> say that regenerating session id could be added in 2.9.x as an added
>> security measure, not for allowing users to disable their cookies.
> but we have no hijacking problem - the login is not stored in the session!
You're right. I forgot this because you talked about hijacking in a
previous message :)
So, with a regenerating technique we could use URL-based session id and
avoid our cookie restriction? :)
> - --
> Sebastian Mendel
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (MingW32)
> -----END PGP SIGNATURE-----
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
More information about the Developers