List:General Discussion« Previous MessageNext Message »
From:Steven Siebert Date:June 21 2013 12:50pm
Subject:Re: Session ID Generation
View as plain text  
Great, thanks to all.

I don't mean to defend our auditors, because they are a PITA, but they do
appear to be decently knowledgeable in general - but they aren't, not can
they be expected to, be specific application-level experts - otherwise, the
number of auditors we would be required to hire would be cost
prohibitive...there is a necessary balance =)  Just because MySQL
implements this way (and, obviously is concious of these security
concerns), doesn't mean the latest NoSQL solution deployed to github,
written in python during a cocaine fuelled weekend, does...they aren't here
to say "no" to whatever software I desire to use, they just need to
verify.  So, really, the wand of ignorance should be pointed in my
direction =)

This leads me to my final question: is this documented anywhere beyond the
source code and this thread?  I was specifically searching for session id
generation, but clearly this search was too narrow. I'll look more
generally for how MySQL establishes connections and maintains sessions -
but if you happen to know where it might be document off the top of your
head, I would appreciate it.

Thanks again for everyone's insightful and quite helpful responses.

S



On Fri, Jun 21, 2013 at 7:58 AM, Denis Jedig <dj@stripped> wrote:

> Steven,
>
> Am 21.06.2013 13:35, schrieb Steven Siebert:
>
>
>  If the TCP connection is lost...is the effectively session over and
>> can not be re-established on another socket?
>>
>
> Yes.
>
>
>  In a mysql client sense, I
>> would need to re-establish a connection and set my session variables again
>> rather than just reconnect using the session ID from the "dropped"
>> connection?
>>
>
> Yes. There is no way for a client to specify a "desired" session ID. The
> session ID is only used once - the server notifies the client of the ID
> used in the initial handshake upon connection establishment, even before
> authentication is attempted. Take a look at the docs for protocol details:
>
> <http://dev.mysql.com/doc/**internals/en/connection-phase.**
>
> html#plain-handshake<http://dev.mysql.com/doc/internals/en/connection-phase.html#plain-handshake>
> >
>
>
>  I apologize about these basic mysql-mechanics questions - I need to
>> satisfy
>> our auditors, so I need to understand =)
>>
>
> The auditors should know their trade and not simply try pressing
> requirements they've read about in an IT manager magazine.
>
> Denis
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/mysql
>
>

Thread
Session ID GenerationSteven Siebert20 Jun
  • Re: Session ID GenerationJohan De Meersman21 Jun
    • Re: Session ID GenerationSteven Siebert21 Jun
      • Re: Session ID GenerationJohan De Meersman21 Jun
      • Re: Session ID GenerationHartmut Holzgraefe21 Jun
        • Re: Session ID GenerationSteven Siebert21 Jun
          • Re: Session ID GenerationHartmut Holzgraefe21 Jun
          • Re: Session ID GenerationDenis Jedig21 Jun
            • Re: Session ID GenerationSteven Siebert21 Jun
              • Re: Session ID Generationshawn green22 Jun
      • Re: Session ID GenerationDenis Jedig21 Jun