phpMyAdmin / Bugs / #839 Clear passwords in cookies

#839 Clear passwords in cookies

Status: invalid

Owner: Marc Delisle

Labels: Authentication issues (70)

Priority: 1

Updated: 2013-06-11

Created: 2003-05-03

Creator: Anonymous

Private: No

Is it just me or does it seem like storing the user name and
passwords in cookies as clear text is a serious security hole.

Particularly since they're named so obviously as
'pma_cookie_password' and 'pma_cookie_username'???

Seems like a simple fix to store the cookie authentication as a
hash instead.

Discussion

Nobody/Anonymous - 2003-05-03

Logged In: NO

Above refers the login process for using phpMyAdmin...

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Garvin Hicking - 2003-05-03

labels: 509104 --> Authentication issues
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Garvin Hicking - 2003-05-03

Logged In: YES
user_id=473563

We somewhen had the discussion about storing this data
encrypted, but robbat2 reported some problems with id.

Sadly, I can't remember the thread/tracker item about this.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marc Delisle - 2003-05-03

Logged In: YES
user_id=210714

Garvin,

don't be sad (It's now in the features requests):
https://sourceforge.net/tracker/index.php?func=detail&aid=564793&group_id=23067&atid=377411

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marc Delisle - 2003-05-03

summary: Password stored in clear --> Clear passwords in cookies
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marc Delisle - 2003-05-03

Logged In: YES
user_id=210714

Also, I remind you that the password AFAIK is not stored in
permanent cookies. The security problem is the password
going in clear over the wire, and the usual solution is
using https.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marc Delisle - 2003-05-06

Logged In: YES
user_id=210714

So can we close this bug report?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marc Delisle - 2003-05-09

assigned_to: nobody --> lem9
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Garvin Hicking - 2003-05-12

priority: 5 --> 1

status: open --> closed-rejected
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Michal Čihař - 2013-06-11

Status: closed-rejected --> invalid
If you would like to refer to this comment somewhere else in this project, copy and paste the following link: