[Phpmyadmin-devel] Re: token and cookies
lists at sebastianmendel.de
Wed May 31 08:09:05 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Garvin Hicking schrieb:
> Hi Marc!
>>> I have not read the source, so my question is: When not using cookies and
>>> having URL-based sessions, where else would you store another authentication
>> Do you mean a future new auth mechanism?
> No, I was talking about your proposal :)
>> Currently we have published that enabling cookies was only required with
>> auth_type = 'cookie'. I am in favor of asking to enable cookies in all cases,
>> it's just that we have to publish it evidently and do it soon, like in 2.8.2.
> I think publishing that is a good thing.
>>> I don't think this is possible, because if a user doesn't have cookies, all
>>> there's left is HTTP Authentication [which only works with mod_php and not the
>>> CGI] and the URI. The URI can be hijacked, so...there's nothing left to
>>> store data in? All storage in $_SESSION will be available to the session-ID
>> config.inc.php can store fixed auth data and we support this...
> Yes, but that would still mean that with a hijacked session ID in the URL you
> could do everything that the "real" person could do - and you were explicitly
you don't need to hijack this session - the login credentials are stored
in the cfg, you just need to open the url!
> asking if there is a way to:
> * Use session storage
> * Use session ID propagation through URL
> * Be not subject to session hijacking
> IMHO there is no way to make that happen.
at the moment this is possible only with http-auth
with session id regenerating it is fare more difficult to hijack a
session - but not impossible
it seems to me that you forget that session and login is not the same in
PMA (at least at the moment)!
at the moment an user has only the choice between cookie-, http- or
config-auth - but all this has nothing to do with session!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
-----END PGP SIGNATURE-----
More information about the Developers