Hi All,
Earlier this year there was a discussion between Tom and Ezra regarding extending 'set session authorization' to
facilitatechanging
the identity of a connection. A synopsis of the discussion is that Tom felt this was bad and the web application should
havemore
responsibility for handling session security.
I need to implement some session based authentication / authorization and would like to learn from others experience
before
embarking too far down this path.
Some constraints:
1/ I'm not keen on embedding secret passwords in a web config file but if I have to I will (*sigh*).
2/ The user names used in the authentication credentials (from the perspective of the user) are _NOT_ the same as those
internally
used in postgres. (Postgres has strict limitations on usernames which make using them for users impractical.)
3/ I want to use cookies and session based authentication (rather than continually use a username password tuple for
eachrequest).
(But then you could rationalize that the username / password could be reversed out of the session key so this may be a
mutepoint -
it will be over a secure connection).
To meet these constraints it would appear necessary to:
1/ Run an external mapping of human usernames to postgres user names (or burn a connect / disconnect cycle to the db).
2/ Connect using the credentials (mapped username) and provided password
3/ Work as necessary (using connected uid)
4/ Disconnect
Is this the best (or only) technique?
If any one has any suggestions or experience in this then I'd appreciate hearing them.
Thanks in advance,
-Greg