List:General Discussion« Previous MessageNext Message »
From:Denis Jedig Date:June 21 2013 11:18am
Subject:Re: Session ID Generation
View as plain text  
Am 21.06.2013 12:48, schrieb Steven Siebert:

> You stated these IDs are sequential...do you know if there is any way to
> modify this to utilize a "random" generation?  Sequential session IDs are
> an avenue to session hijacking.

There is no attack vector opening up by knowing a session ID. A 
"session" is tied to a socket which in turn would be a TCP/IP 
network connection. As long as TCP/IP connection hijacking is 
considered unfeasible, so will the corresponding session. If 
connection hijacking is a concern in your environment, consider 
using SSL/TLS as an additional measure against a number of attack 
- including eavesdropping and data manipulation.

http://www.yassl.com/files/yassl_securing_mysql.pdf

Denis
Thread
Session ID GenerationSteven Siebert20 Jun
  • Re: Session ID GenerationJohan De Meersman21 Jun
    • Re: Session ID GenerationSteven Siebert21 Jun
      • Re: Session ID GenerationJohan De Meersman21 Jun
      • Re: Session ID GenerationHartmut Holzgraefe21 Jun
        • Re: Session ID GenerationSteven Siebert21 Jun
          • Re: Session ID GenerationHartmut Holzgraefe21 Jun
          • Re: Session ID GenerationDenis Jedig21 Jun
            • Re: Session ID GenerationSteven Siebert21 Jun
              • Re: Session ID Generationshawn green22 Jun
      • Re: Session ID GenerationDenis Jedig21 Jun