List:General Discussion« Previous MessageNext Message »
From:Hartmut Holzgraefe Date:June 21 2013 11:13am
Subject:Re: Session ID Generation
View as plain text  
On 21.06.2013 12:48, Steven Siebert wrote:

> You stated these IDs are sequential...do you know if there is any way to
> modify this to utilize a "random" generation?  Sequential session IDs are
> an avenue to session hijacking.

as a MySQL client session is bound to a specific TCP connection ... how
would being able to predict a session ID help with hijacking that TCP
session? Even more so as the session ID is not really part of the
communication protocol between client and server at all and more like
an identifier for SHOW PROCESSLIST (that would most likely be visible
to an internal attacker anyway) and KILL (which requires SUPER
privileges on the database anyway, and at that point you've already
lost to an attacker ...)

-- 
Hartmut Holzgraefe <hartmut@stripped>
Principal Support Engineer (EMEA)
SkySQL AB - http://www.skysql.com/
Thread
Session ID GenerationSteven Siebert20 Jun
  • Re: Session ID GenerationJohan De Meersman21 Jun
    • Re: Session ID GenerationSteven Siebert21 Jun
      • Re: Session ID GenerationJohan De Meersman21 Jun
      • Re: Session ID GenerationHartmut Holzgraefe21 Jun
        • Re: Session ID GenerationSteven Siebert21 Jun
          • Re: Session ID GenerationHartmut Holzgraefe21 Jun
          • Re: Session ID GenerationDenis Jedig21 Jun
            • Re: Session ID GenerationSteven Siebert21 Jun
              • Re: Session ID Generationshawn green22 Jun
      • Re: Session ID GenerationDenis Jedig21 Jun