----- Original Message ----- > From: "Steven Siebert" <smsi...@gmail.com> > Subject: Re: Session ID Generation
> I am indeed looking for MySQL session ID's, not an HTTP session ID. > I'm doing a defense in depth audit and reviewing potential threats > to each remote connection - in this case session fixation. I know I > can set various session timeout properties that help mitigate > fixation and hijacking, but a randomly generated server-only > generated session id goes a log way to mitigate the risk. Just a > note, we are following industry best practices utilizing a DMZ...but > out biggest threat is an insider, so we need to realize any > potential risk. > You stated these IDs are sequential...do you know if there is any way > to modify this to utilize a "random" generation? Sequential session > IDs are an avenue to session hijacking. I have to admit that's way out of my depth. My response merely concerned the "session ID" that is shown to the administrators, and those are just an incremental counter. I have no idea how sessions are handled internally. You might be better off on the developer mailing list for those kind of questions, I think. -- Unhappiness is discouraged and will be corrected with kitten pictures.
