Great, thanks to all.
I don't mean to defend our auditors, because they are a PITA, but they do
appear to be decently knowledgeable in general - but they aren't, not can
they be expected to, be specific application-level experts - otherwise, the
number of auditors we would be required to hire would be cost
prohibitive...there is a necessary balance =) Just because MySQL
implements this way (and, obviously is concious of these security
concerns), doesn't mean the latest NoSQL solution deployed to github,
written in python during a cocaine fuelled weekend, does...they aren't here
to say "no" to whatever software I desire to use, they just need to
verify. So, really, the wand of ignorance should be pointed in my
This leads me to my final question: is this documented anywhere beyond the
source code and this thread? I was specifically searching for session id
generation, but clearly this search was too narrow. I'll look more
generally for how MySQL establishes connections and maintains sessions -
but if you happen to know where it might be document off the top of your
head, I would appreciate it.
Thanks again for everyone's insightful and quite helpful responses.
On Fri, Jun 21, 2013 at 7:58 AM, Denis Jedig <dj@stripped> wrote:
> Am 21.06.2013 13:35, schrieb Steven Siebert:
> If the TCP connection is lost...is the effectively session over and
>> can not be re-established on another socket?
> In a mysql client sense, I
>> would need to re-establish a connection and set my session variables again
>> rather than just reconnect using the session ID from the "dropped"
> Yes. There is no way for a client to specify a "desired" session ID. The
> session ID is only used once - the server notifies the client of the ID
> used in the initial handshake upon connection establishment, even before
> authentication is attempted. Take a look at the docs for protocol details:
> I apologize about these basic mysql-mechanics questions - I need to
>> our auditors, so I need to understand =)
> The auditors should know their trade and not simply try pressing
> requirements they've read about in an IT manager magazine.
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql