Re: Session ID Generation
Hello Steven, On 6/21/2013 8:50 AM, Steven Siebert wrote: Great, thanks to all. I don't mean to defend our auditors, because they are a PITA, but they do appear to be decently knowledgeable in general - but they aren't, not can they be expected to, be specific application-level experts - otherwise, the number of auditors we would be required to hire would be cost prohibitive...there is a necessary balance =) Just because MySQL implements this way (and, obviously is concious of these security concerns), doesn't mean the latest NoSQL solution deployed to github, written in python during a cocaine fuelled weekend, does...they aren't here to say no to whatever software I desire to use, they just need to verify. So, really, the wand of ignorance should be pointed in my direction =) This leads me to my final question: is this documented anywhere beyond the source code and this thread? I was specifically searching for session id generation, but clearly this search was too narrow. I'll look more generally for how MySQL establishes connections and maintains sessions - but if you happen to know where it might be document off the top of your head, I would appreciate it. Thanks again for everyone's insightful and quite helpful responses. ... snipped ... I believe that between the source code and the MySQL Internals manual, you will get more answers than you might have been looking for. Of course, if you need any clarification you can always bring those questions back to the list. http://dev.mysql.com/doc/internals/en/client-server-protocol.html -- Shawn Green MySQL Principal Technical Support Engineer Oracle USA, Inc. - Hardware and Software, Engineered to Work Together. Office: Blountville, TN -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: Session ID Generation
Mysql assigns its session IDs sequentially as they come in. I suspect, however, that you're looking for session IDs as used by websites -generation of those is entirely not a mysql issue, it is only a potential store for them. Steven Siebert smsi...@gmail.com wrote: Hello all, I've looked though, what I believe to be, the relevant areas in the MySQL docs as well as standard search engine searches without luck. I was hoping to find some documentation that would tell me: - how MySQL session Ids are generated (specifically, are they considered random) - does MySQL require session ids sent from the client to be server generated (ie the client can't make one up and that is used for the session) - is there any other relevant security protections or concerns for mysql session management that would be of interest? Thanks, Steve -- Sent from Kaiten Mail. Please excuse my brevity.
Re: Session ID Generation
- Original Message - From: Steven Siebert smsi...@gmail.com Subject: Re: Session ID Generation I am indeed looking for MySQL session ID's, not an HTTP session ID. I'm doing a defense in depth audit and reviewing potential threats to each remote connection - in this case session fixation. I know I can set various session timeout properties that help mitigate fixation and hijacking, but a randomly generated server-only generated session id goes a log way to mitigate the risk. Just a note, we are following industry best practices utilizing a DMZ...but out biggest threat is an insider, so we need to realize any potential risk. You stated these IDs are sequential...do you know if there is any way to modify this to utilize a random generation? Sequential session IDs are an avenue to session hijacking. I have to admit that's way out of my depth. My response merely concerned the session ID that is shown to the administrators, and those are just an incremental counter. I have no idea how sessions are handled internally. You might be better off on the developer mailing list for those kind of questions, I think. -- Unhappiness is discouraged and will be corrected with kitten pictures.
Re: Session ID Generation
On 21.06.2013 12:48, Steven Siebert wrote: You stated these IDs are sequential...do you know if there is any way to modify this to utilize a random generation? Sequential session IDs are an avenue to session hijacking. as a MySQL client session is bound to a specific TCP connection ... how would being able to predict a session ID help with hijacking that TCP session? Even more so as the session ID is not really part of the communication protocol between client and server at all and more like an identifier for SHOW PROCESSLIST (that would most likely be visible to an internal attacker anyway) and KILL (which requires SUPER privileges on the database anyway, and at that point you've already lost to an attacker ...) -- Hartmut Holzgraefe hart...@skysql.com Principal Support Engineer (EMEA) SkySQL AB - http://www.skysql.com/ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: Session ID Generation
On 21.06.2013 13:35, Steven Siebert wrote: Hartmut - if the session Id is not a meaningful part of the client/server protocol, is the session managed my the transport layer rather than the app layer? If the TCP connection is lost...is the effectively session over and can not be re-established on another socket? yes, the lifetime of a connection is bound to the lifetime of the underlying transport session. Also even if you could hijack an established TCP or Unix Domain Socket connection you'd still need to figure out how to use it withough bringing the protocol flow out of sync. -- Hartmut Holzgraefe hart...@skysql.com Principal Support Engineer (EMEA) SkySQL AB - http://www.skysql.com/ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: Session ID Generation
Am 21.06.2013 12:48, schrieb Steven Siebert: You stated these IDs are sequential...do you know if there is any way to modify this to utilize a random generation? Sequential session IDs are an avenue to session hijacking. There is no attack vector opening up by knowing a session ID. A session is tied to a socket which in turn would be a TCP/IP network connection. As long as TCP/IP connection hijacking is considered unfeasible, so will the corresponding session. If connection hijacking is a concern in your environment, consider using SSL/TLS as an additional measure against a number of attack - including eavesdropping and data manipulation. http://www.yassl.com/files/yassl_securing_mysql.pdf Denis -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: Session ID Generation
Hartmut/Denis - Great information, thank you! I was unaware that mysql bound the session id to the socket in such a way that it would not permit that session id to be provided on other socket. This was the missing piece. Hartmut - if the session Id is not a meaningful part of the client/server protocol, is the session managed my the transport layer rather than the app layer? If the TCP connection is lost...is the effectively session over and can not be re-established on another socket? In a mysql client sense, I would need to re-establish a connection and set my session variables again rather than just reconnect using the session ID from the dropped connection? I apologize about these basic mysql-mechanics questions - I need to satisfy our auditors, so I need to understand =) Thanks, S On Fri, Jun 21, 2013 at 7:13 AM, Hartmut Holzgraefe hart...@skysql.comwrote: On 21.06.2013 12:48, Steven Siebert wrote: You stated these IDs are sequential...do you know if there is any way to modify this to utilize a random generation? Sequential session IDs are an avenue to session hijacking. as a MySQL client session is bound to a specific TCP connection ... how would being able to predict a session ID help with hijacking that TCP session? Even more so as the session ID is not really part of the communication protocol between client and server at all and more like an identifier for SHOW PROCESSLIST (that would most likely be visible to an internal attacker anyway) and KILL (which requires SUPER privileges on the database anyway, and at that point you've already lost to an attacker ...) -- Hartmut Holzgraefe hart...@skysql.com Principal Support Engineer (EMEA) SkySQL AB - http://www.skysql.com/ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: Session ID Generation
Steven, Am 21.06.2013 13:35, schrieb Steven Siebert: If the TCP connection is lost...is the effectively session over and can not be re-established on another socket? Yes. In a mysql client sense, I would need to re-establish a connection and set my session variables again rather than just reconnect using the session ID from the dropped connection? Yes. There is no way for a client to specify a desired session ID. The session ID is only used once - the server notifies the client of the ID used in the initial handshake upon connection establishment, even before authentication is attempted. Take a look at the docs for protocol details: http://dev.mysql.com/doc/internals/en/connection-phase.html#plain-handshake I apologize about these basic mysql-mechanics questions - I need to satisfy our auditors, so I need to understand =) The auditors should know their trade and not simply try pressing requirements they've read about in an IT manager magazine. Denis -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: Session ID Generation
Great, thanks to all. I don't mean to defend our auditors, because they are a PITA, but they do appear to be decently knowledgeable in general - but they aren't, not can they be expected to, be specific application-level experts - otherwise, the number of auditors we would be required to hire would be cost prohibitive...there is a necessary balance =) Just because MySQL implements this way (and, obviously is concious of these security concerns), doesn't mean the latest NoSQL solution deployed to github, written in python during a cocaine fuelled weekend, does...they aren't here to say no to whatever software I desire to use, they just need to verify. So, really, the wand of ignorance should be pointed in my direction =) This leads me to my final question: is this documented anywhere beyond the source code and this thread? I was specifically searching for session id generation, but clearly this search was too narrow. I'll look more generally for how MySQL establishes connections and maintains sessions - but if you happen to know where it might be document off the top of your head, I would appreciate it. Thanks again for everyone's insightful and quite helpful responses. S On Fri, Jun 21, 2013 at 7:58 AM, Denis Jedig d...@syneticon.net wrote: Steven, Am 21.06.2013 13:35, schrieb Steven Siebert: If the TCP connection is lost...is the effectively session over and can not be re-established on another socket? Yes. In a mysql client sense, I would need to re-establish a connection and set my session variables again rather than just reconnect using the session ID from the dropped connection? Yes. There is no way for a client to specify a desired session ID. The session ID is only used once - the server notifies the client of the ID used in the initial handshake upon connection establishment, even before authentication is attempted. Take a look at the docs for protocol details: http://dev.mysql.com/doc/**internals/en/connection-phase.** html#plain-handshakehttp://dev.mysql.com/doc/internals/en/connection-phase.html#plain-handshake I apologize about these basic mysql-mechanics questions - I need to satisfy our auditors, so I need to understand =) The auditors should know their trade and not simply try pressing requirements they've read about in an IT manager magazine. Denis -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql
Re: Session ID Generation
Tanks for responding Johan. I am indeed looking for MySQL session ID's, not an HTTP session ID. I'm doing a defense in depth audit and reviewing potential threats to each remote connection - in this case session fixation. I know I can set various session timeout properties that help mitigate fixation and hijacking, but a randomly generated server-only generated session id goes a log way to mitigate the risk. Just a note, we are following industry best practices utilizing a DMZ...but out biggest threat is an insider, so we need to realize any potential risk. You stated these IDs are sequential...do you know if there is any way to modify this to utilize a random generation? Sequential session IDs are an avenue to session hijacking. Thanks, S On Fri, Jun 21, 2013 at 2:40 AM, Johan De Meersman vegiv...@tuxera.bewrote: Mysql assigns its session IDs sequentially as they come in. I suspect, however, that you're looking for session IDs as used by websites -generation of those is entirely not a mysql issue, it is only a potential store for them. Steven Siebert smsi...@gmail.com wrote: Hello all, I've looked though, what I believe to be, the relevant areas in the MySQL docs as well as standard search engine searches without luck. I was hoping to find some documentation that would tell me: - how MySQL session Ids are generated (specifically, are they considered random) - does MySQL require session ids sent from the client to be server generated (ie the client can't make one up and that is used for the session) - is there any other relevant security protections or concerns for mysql session management that would be of interest? Thanks, Steve -- Sent from Kaiten Mail. Please excuse my brevity.
Session ID Generation
Hello all, I've looked though, what I believe to be, the relevant areas in the MySQL docs as well as standard search engine searches without luck. I was hoping to find some documentation that would tell me: - how MySQL session Ids are generated (specifically, are they considered random) - does MySQL require session ids sent from the client to be server generated (ie the client can't make one up and that is used for the session) - is there any other relevant security protections or concerns for mysql session management that would be of interest? Thanks, Steve