From: "Keith C. Perry" <netadmin@vcsn.com>
> Using an MD5 hash to
> "hide" them will slow your app down by some delta and not protect your
> connection. Granted garbling that id with a password is somewhat more
secure
> but your connection could still be attacked or even hijacked.
>
> In the URL's you gave above, why are you not using HTTPS (i.e.
authentication)?
> What about using a crytographic cookies to identify your session and link
that
> to you userid (after authorization)?
Https I can see. I am having difficulty understanding how you could use
cryptographic cookies to prevent session hijacking though given the current
setup. Also you could use ssl between the web server and PostgreSQL to
secure that connection.
As a side question: Does PostgreSQL support using Kerberos for encrypted
connections (beyond authentication), or do you need to use SSL for that?
Best Wishes,
Chris Travers
