[Phpmyadmin-devel] Re: token and cookies

Sebastian Mendel lists at sebastianmendel.de
Wed May 31 07:38:04 CEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marc Delisle schrieb:
> Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>>>> Garvin Hicking a écrit :
>>>> Hi!
>>>>
>>>>>> can't we implement some of the countermeasures as explained in
>>>>>> section 5 of this
>>>>>> document? For example, binding the legitimate user's IP address to
>>>>>> our session
>>>>>> data?
>>>>> The most easy way to counter session fixation is to just perform a
>>>>> session_regenerate_id() after the login. This way, any "fixated"
>>>>> session will be
>>>>> changed to a random session ID after the credentials are entered.
>>>> Ok, but this would move our minimum PHP version to 4.3.2. Probably not
>>>> too bad, see
>>>> http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006.php
>>>>
> 
> you can do this without session_regenerate_id() too
> 
> 
>>>> But, as you say, there would still be the hijacking problem, so let's
>>>> say that regenerating session id could be added in 2.9.x as an added
>>>> security measure, not for allowing users to disable their cookies.
> 
> but we have no hijacking problem - the login is not stored in the
> session!
> 
> You're right. I forgot this because you talked about hijacking in a
> previous message :)

yes, but i also mentioned: "but of course this [hijacking/fixation] is
not possible with PMA currently - as the auth is not handled with session!"


> So, with a regenerating technique we could use URL-based session id and
> avoid our cookie restriction? :)

phpMyadmin is not just any web application it is an administration tool!
and i think we can demand from our customers to accept cookies for her
own security!

whether it is possible at the moment to make any use out of a hijacked
session-id or not!

we should try to be as secure as possible from the start!

and if it is really really really required to use url based session id
than we could introduce a config switch to enable this - but i think
most ISP will never set this to true (even more i think if it would be
enabled by default most will set it to false) as most ISP now if
something goes wrong the customers blame on them (the ISP) and not on
them self!


- --
Sebastian Mendel

www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFEfasWX/0lClpZDr4RAkyQAJ0SWim704J/egOTyU0Vq9uGgO0V6ACggOCP
JeTvVO1g4RhQywjvwqi4BWw=
=i6Wu
-----END PGP SIGNATURE-----




More information about the Developers mailing list