[Phpmyadmin-devel] Re: token and cookies

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Wed May 31 07:49:00 CEST 2006

Garvin Hicking a écrit :
> Hi!
>> So, with a regenerating technique we could use URL-based session id and
>> avoid our cookie restriction? :)
> I have not read the source, so my question is: When not using cookies and having
> URL-based sessions, where else would you store another authentication token?

Do you mean a future new auth mechanism?

Currently we have published that enabling cookies was only required with 
auth_type = 'cookie'.  I am in favor of asking to enable cookies in all 
cases, it's just that we have to publish it evidently and do it soon, 
like in 2.8.2.

> I don't think this is possible, because if a user doesn't have cookies, all
> there's left is HTTP Authentication [which only works with mod_php and not the
> CGI] and the URI. The URI can be hijacked, so...there's nothing left to store
> data in? All storage in $_SESSION will be available to the session-ID
> hijacker...

config.inc.php can store fixed auth data and we support this...

> Best regards,
> Garvin

More information about the Developers mailing list