top button
Flag Notify
    Connect to us
      Facebook Login
      Site Registration Why to Join

Facebook Login
Site Registration
Print Preview

Session ID Generation in mysql

0 votes
54 views

I've looked though, what I believe to be, the relevant areas in the MySQL docs as well as standard search engine searches without luck. I was hoping to find some documentation that would tell me:
- how MySQL session Ids are generated (specifically, are they considered "random")
- does MySQL require session ids sent from the client to be server generated (ie the client can't make one up and that is used for the session)
- is there any other relevant security protections or concerns for mysql session management that would be of interest?

posted Jun 20, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button Google+ Share Button LinkedIn Share Button Multiple Social Share Button

1 Answer

+1 vote

Mysql assigns its session IDs sequentially as they come in. I suspect, however, that you're looking for session IDs as used by websites -generation of those is entirely not a mysql issue, it is only a potential store for them.

answer Jun 21, 2013 by anonymous
I am indeed looking for MySQL session ID's, not an HTTP session ID. I'm doing a defense in depth audit and reviewing potential threats to each remote connection - in this case session fixation. I know I can set
various session timeout properties that help mitigate fixation and hijacking, but a randomly generated server-only generated session id goes a log way to mitigate the risk. Just a note, we are following industry best practices utilizing a DMZ...but out biggest threat is an insider, so we need to realize any potential risk.

You stated these IDs are sequential...do you know if there is any way to modify this to utilize a "random" generation? Sequential session IDs are an avenue to session hijacking.
as a MySQL client session is bound to a specific TCP connection ... how would being able to predict a session ID help with hijacking that TCP session? Even more so as the session ID is not really part of the
communication protocol between client and server at all and more like an identifier for SHOW PROCESSLIST (that would most likely be visible to an internal attacker anyway) and KILL (which requires SUPER privileges on the database anyway, and at that point you've already lost to an attacker ...)

Useful Links with Similar Problem
Contact Us
+91 9880187415
sales@queryhome.net
support@queryhome.net
#470/147, 3rd Floor, 5th Main,
HSR Layout Sector 7,
Bangalore - 560102,
Karnataka INDIA.
QUERY HOME
...