----- Original Message -----
> From: "Steven Siebert" <smsiebe@stripped>
> Subject: Re: Session ID Generation
> I am indeed looking for MySQL session ID's, not an HTTP session ID.
> I'm doing a defense in depth audit and reviewing potential threats
> to each remote connection - in this case session fixation. I know I
> can set various session timeout properties that help mitigate
> fixation and hijacking, but a randomly generated server-only
> generated session id goes a log way to mitigate the risk. Just a
> note, we are following industry best practices utilizing a DMZ...but
> out biggest threat is an insider, so we need to realize any
> potential risk.
> You stated these IDs are sequential...do you know if there is any way
> to modify this to utilize a "random" generation? Sequential session
> IDs are an avenue to session hijacking.
I have to admit that's way out of my depth. My response merely concerned the "session ID"
that is shown to the administrators, and those are just an incremental counter. I have no
idea how sessions are handled internally. You might be better off on the developer mailing
list for those kind of questions, I think.
Unhappiness is discouraged and will be corrected with kitten pictures.