We can propagate the session id either in a cookie or in the
URL. We ruled out the URL method because of security issues
(see recent discussion in the phpmyadmin-devel list
archive), so we have no other option left.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
windkiel,
see the recent discussion "tokens and cookies" in the
phpmyadmin-devel list. Also on this page http://www.php.net/manual/en/ref.session.php
there is an external link talking about session fixation
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Marc,
tnx for that interesting link, but i think i have no access
to the pma-devel list. before i dwelve through all the
sources, is there a page that explains that token purpose?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I know the problem, despite that I haven't found the email
traffic about which you talked.
but i still think, you can do it better. in my applications
i do further checks when not using an cookie:
- ip adress must be the same
- browser (user_agent) must be the same
when using cookies, the ip-adress will not been checked.
i suggest this way to you, too. nevertheless i would like
you to make an config-switch.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am talking about handling the session id, which will be
doing via cookie or url.
isn't your problem, that anybody can catch the session-id
via url and can access the db?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
"ip address must be the same" this is not a possible check!
(users may switch proxys between requests (AOL), and not all
proxy deliver forwarded-for-header)
please read the mailings before posting any other solution
already discussed there
(mailing archives are down for some days, sf.net maintenance)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just wanted to add that I had the phpMyAdmin layout problem for a recently installed PHP, too. It turned out that the session/upload paths in "php.ini" were not set correctly.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
screenshot of original-theme without cookies
screenshot of original-theme with cookies
Logged In: YES
user_id=414715
also, i cannot switch the theme.
maybe, without cookies it will use no theme?
Logged In: YES
user_id=1383652
i can confirm that in HEAD,
not in 2.8.1 (May 20 17:33:32 UTC 2006)
Logged In: YES
user_id=210714
Confirmed broken layout in 2.8.1 without cookies.
Logged In: YES
user_id=210714
Our current version 2.8.1 needs to have cookies enabled, but
we forgot to announce this.
It's not likely that this restriction will be removed, it's
a security matter.
Logged In: YES
user_id=210714
Now documented for 2.8.2. In 2.9.0, additional message
inform the user about this, for all authentication types.
Logged In: YES
user_id=414715
you can't be serious.
this is not an possible solution.
why can't you save the selected theme in the session or just
load the configurated default theme...
i cannot accept this.
Logged In: YES
user_id=210714
We can propagate the session id either in a cookie or in the
URL. We ruled out the URL method because of security issues
(see recent discussion in the phpmyadmin-devel list
archive), so we have no other option left.
Logged In: YES
user_id=1383652
>because of security issues
the php session id travels unencrypted over the net in both
cases!
Logged In: YES
user_id=210714
windkiel,
see the recent discussion "tokens and cookies" in the
phpmyadmin-devel list. Also on this page
http://www.php.net/manual/en/ref.session.php
there is an external link talking about session fixation
Logged In: YES
user_id=1383652
Marc,
tnx for that interesting link, but i think i have no access
to the pma-devel list. before i dwelve through all the
sources, is there a page that explains that token purpose?
Logged In: YES
user_id=210714
Juergen,
go to
https://sourceforge.net/projects/phpmyadmin/
click Mail
and you'll see a link to the list archives.
Logged In: YES
user_id=210714
j-a-n, any other suggestion?
Logged In: YES
user_id=414715
I know the problem, despite that I haven't found the email
traffic about which you talked.
but i still think, you can do it better. in my applications
i do further checks when not using an cookie:
- ip adress must be the same
- browser (user_agent) must be the same
when using cookies, the ip-adress will not been checked.
i suggest this way to you, too. nevertheless i would like
you to make an config-switch.
Logged In: YES
user_id=210714
j-a-n, about your further checks, are you talking about how
to propagate session id or just about cookies in general?
Logged In: YES
user_id=414715
I am talking about handling the session id, which will be
doing via cookie or url.
isn't your problem, that anybody can catch the session-id
via url and can access the db?
Logged In: YES
user_id=210714
Sorry, I don't understand "isn't your problem".
Do you mean that phpMyAdmin should not bother about
defending itself against such attacks on the session id via URL?
Logged In: YES
user_id=326580
"ip address must be the same" this is not a possible check!
(users may switch proxys between requests (AOL), and not all
proxy deliver forwarded-for-header)
please read the mailings before posting any other solution
already discussed there
(mailing archives are down for some days, sf.net maintenance)
Logged In: YES
user_id=1306263
Originator: NO
Hi!
Just wanted to add that I had the phpMyAdmin layout problem for a recently installed PHP, too. It turned out that the session/upload paths in "php.ini" were not set correctly.