[Phpmyadmin-devel] Re: token and cookies
Garvin Hicking
phpmyadmin at supergarv.de
Wed May 31 07:32:04 CEST 2006
Hi!
> So, with a regenerating technique we could use URL-based session id and
> avoid our cookie restriction? :)
I have not read the source, so my question is: When not using cookies and having
URL-based sessions, where else would you store another authentication token?
I don't think this is possible, because if a user doesn't have cookies, all
there's left is HTTP Authentication [which only works with mod_php and not the
CGI] and the URI. The URI can be hijacked, so...there's nothing left to store
data in? All storage in $_SESSION will be available to the session-ID
hijacker...
Best regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242
++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in
More information about the Developers
mailing list