List:General Discussion« Previous MessageNext Message »
From:Johan De Meersman Date:June 21 2013 10:58am
Subject:Re: Session ID Generation
View as plain text  
----- Original Message -----

> From: "Steven Siebert" <smsiebe@stripped>
> Subject: Re: Session ID Generation

> I am indeed looking for MySQL session ID's, not an HTTP session ID.
> I'm doing a defense in depth audit and reviewing potential threats
> to each remote connection - in this case session fixation. I know I
> can set various session timeout properties that help mitigate
> fixation and hijacking, but a randomly generated server-only
> generated session id goes a log way to mitigate the risk. Just a
> note, we are following industry best practices utilizing a DMZ...but
> out biggest threat is an insider, so we need to realize any
> potential risk.

> You stated these IDs are sequential...do you know if there is any way
> to modify this to utilize a "random" generation? Sequential session
> IDs are an avenue to session hijacking.
I have to admit that's way out of my depth. My response merely concerned the "session ID"
that is shown to the administrators, and those are just an incremental counter. I have no
idea how sessions are handled internally. You might be better off on the developer mailing
list for those kind of questions, I think. 

-- 

Unhappiness is discouraged and will be corrected with kitten pictures. 

Thread
Session ID GenerationSteven Siebert20 Jun
  • Re: Session ID GenerationJohan De Meersman21 Jun
    • Re: Session ID GenerationSteven Siebert21 Jun
      • Re: Session ID GenerationJohan De Meersman21 Jun
      • Re: Session ID GenerationHartmut Holzgraefe21 Jun
        • Re: Session ID GenerationSteven Siebert21 Jun
          • Re: Session ID GenerationHartmut Holzgraefe21 Jun
          • Re: Session ID GenerationDenis Jedig21 Jun
            • Re: Session ID GenerationSteven Siebert21 Jun
              • Re: Session ID Generationshawn green22 Jun
      • Re: Session ID GenerationDenis Jedig21 Jun