On Mon, Jan 22, 2007 at 20:25:48 +0100,
Bertram Scharpf <lists@bertram-scharpf.de> wrote:
>
> What I want to do is the following:
>
> 1. Login in from a program on a client as a particualar user.
For this case you shouldn't need to do anything tricky as long as the user
is login in as themselves. Just prompt the user for their password and use it
when you open a connection to the database. If you are trying to have the
program login without the user being able to steal or borrow the credentials,
then you have a serious design flaw.
> 2. Login from a series of scripts run by Apache on localhost
> ('trust' authentication method). Of course, I won't hand the
> password through web pages. Therefore I store something like a
> 'session cookie' in a table. Next time I log in as a superuser,
> read the appropriate entry and immediately do a "set session
> autorization". The first step can be done in two ways: (a) I write
> a special login routine, (b) I log in as any other script and do
> the password check against pg_authid using the function I proposed.
If you use trust, be sure to limit that authentication rule to expected
IP addresses and take steps to prevent spoofed packets from getting into
your network. If the web server is running on the same machine as the DB,
then consider using ident authentication and connecting using domain sockets.
(This is available under Windows.)
