Tanks for responding Johan.
I am indeed looking for MySQL session ID's, not an HTTP session ID. I'm
doing a defense in depth audit and reviewing potential threats to each
remote connection - in this case session fixation. I know I can set
various session timeout properties that help mitigate fixation and
hijacking, but a randomly generated server-only generated session id goes a
log way to mitigate the risk. Just a note, we are following industry best
practices utilizing a DMZ...but out biggest threat is an insider, so we
need to realize any potential risk.
You stated these IDs are sequential...do you know if there is any way to
modify this to utilize a "random" generation? Sequential session IDs are
an avenue to session hijacking.
On Fri, Jun 21, 2013 at 2:40 AM, Johan De Meersman <vegivamp@stripped>wrote:
> Mysql assigns its session IDs sequentially as they come in. I suspect,
> however, that you're looking for session IDs as used by websites
> -generation of those is entirely not a mysql issue, it is only a potential
> store for them.
> Steven Siebert <smsiebe@stripped> wrote:
>> Hello all,
>> I've looked though, what I believe to be, the relevant areas in the MySQL
>> docs as well as standard search engine searches without luck. I was
>> hoping to find some documentation that would tell me:
>> - how MySQL session Ids are generated (specifically, are they considered
>> - does MySQL require session ids sent from the client to be server
>> generated (ie the client can't make one up and that is used for the session)
>> - is there any other relevant security protections or concerns for mysql
>> session management that would be of interest?
> Sent from Kaiten Mail. Please excuse my brevity.