Great, thanks to all. I don't mean to defend our auditors, because they are a PITA, but they do appear to be decently knowledgeable in general - but they aren't, not can they be expected to, be specific application-level experts - otherwise, the number of auditors we would be required to hire would be cost prohibitive...there is a necessary balance =) Just because MySQL implements this way (and, obviously is concious of these security concerns), doesn't mean the latest NoSQL solution deployed to github, written in python during a cocaine fuelled weekend, does...they aren't here to say "no" to whatever software I desire to use, they just need to verify. So, really, the wand of ignorance should be pointed in my direction =)
This leads me to my final question: is this documented anywhere beyond the source code and this thread? I was specifically searching for session id generation, but clearly this search was too narrow. I'll look more generally for how MySQL establishes connections and maintains sessions - but if you happen to know where it might be document off the top of your head, I would appreciate it. Thanks again for everyone's insightful and quite helpful responses. S On Fri, Jun 21, 2013 at 7:58 AM, Denis Jedig <d...@syneticon.net> wrote: > Steven, > > Am 21.06.2013 13:35, schrieb Steven Siebert: > > > If the TCP connection is lost...is the effectively session over and >> can not be re-established on another socket? >> > > Yes. > > > In a mysql client sense, I >> would need to re-establish a connection and set my session variables again >> rather than just reconnect using the session ID from the "dropped" >> connection? >> > > Yes. There is no way for a client to specify a "desired" session ID. The > session ID is only used once - the server notifies the client of the ID > used in the initial handshake upon connection establishment, even before > authentication is attempted. Take a look at the docs for protocol details: > > <http://dev.mysql.com/doc/**internals/en/connection-phase.** > html#plain-handshake<http://dev.mysql.com/doc/internals/en/connection-phase.html#plain-handshake> > > > > > I apologize about these basic mysql-mechanics questions - I need to >> satisfy >> our auditors, so I need to understand =) >> > > The auditors should know their trade and not simply try pressing > requirements they've read about in an IT manager magazine. > > Denis > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql > >
