after i exchange a secretkey for block ciphers via ssl, my server is returning in ssl a magic# and a session# both 4byte ints essentially bigints in mysql but that is just for overflow above 2million. ssl is then scrapped and the client calls the server with the session# in the clear but the magic# encrypted with application data in the payload. the server grabs the session#, thereby knowing the client, and verifies the magic#. if not equal it does not respond. the lookup gets the clients secret key. the two happily chat via AES or some other block cipher.

my question is whether or not there is a security risk with something like this at the beginning of the plaintext prior to encrypting:

mn=3217282736(then followed with app data)

where mn above is the magic#.

i could have the magic# change after say every 100 calls. or i could just add 1 to it everytime and have the server cope with it.

the magic and session #'s are generated with

fourmilab hotbits