[Phpmyadmin-devel] Re: token and cookies

[Garvin Hicking]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marc!

>> I have not read the source, so my question is: When not using cookies and
>> having URL-based sessions, where else would you store another authentication
>> token?
>
> Do you mean a future new auth mechanism?

No, I was talking about your proposal :)

> Currently we have published that enabling cookies was only required with
> auth_type = 'cookie'.  I am in favor of asking to enable cookies in all cases,
> it's just that we have to publish it evidently and do it soon, like in 2.8.2.

I think publishing that is a good thing.

>> I don't think this is possible, because if a user doesn't have cookies, all
>> there's left is HTTP Authentication [which only works with mod_php and not the
>>  CGI] and the URI. The URI can be hijacked, so...there's nothing left to
>> store data in? All storage in $_SESSION will be available to the session-ID
>> hijacker...
>
> config.inc.php can store fixed auth data and we support this...

Yes, but that would still mean that with a hijacked session ID in the URL you
could do everything that the "real" person could do - and you were explicitly
asking if there is a way to:

* Do not use cookies
* Use session storage
* Use session ID propagation through URL
* Be not subject to session hijacking

IMHO there is no way to make that happen.

Best regards,
Garvin

- --
++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEfa+tUZolOPYrUhYRAg6TAJ4kEutSnaFs+36y+5oTJsdMx14pVgCbBB7b
HcoV8WdO2XNJetVOcQIjYOY=
=Wggh
-----END PGP SIGNATURE-----