Hi All,
Earlier this year there was a discussion between Tom and Ezra regarding extending 'set
session authorization' to facilitate changing
the identity of a connection. A synopsis of the discussion is that Tom felt this was
bad and the web application should have more
responsibility for handling session security.
I need to implement some session based authentication / authorization and would like
to learn from others experience before
embarking too far down this path.
Some constraints:
1/ I'm not keen on embedding secret passwords in a web config file but if I have to I
will (*sigh*).
2/ The user names used in the authentication credentials (from the perspective of the
user) are _NOT_ the same as those internally
used in postgres. (Postgres has strict limitations on usernames which make using them
for users impractical.)
3/ I want to use cookies and session based authentication (rather than continually use
a username password tuple for each request).
(But then you could rationalize that the username / password could be reversed out of
the session key so this may be a mute point -
it will be over a secure connection).
To meet these constraints it would appear necessary to:
1/ Run an external mapping of human usernames to postgres user names (or burn a
connect / disconnect cycle to the db).
2/ Connect using the credentials (mapped username) and provided password
3/ Work as necessary (using connected uid)
4/ Disconnect
Is this the best (or only) technique?
If any one has any suggestions or experience in this then I'd appreciate hearing them.
Thanks in advance,
-Greg
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faqs/FAQ.html
