Re: Password encryption method - Mailing list pgsql-general

From Bruno Wolff III
Subject Re: Password encryption method
Date
Msg-id 20070123051141.GA17550@wolff.to
Whole thread Raw
In response to Re: Password encryption method  (Bertram Scharpf <lists@bertram-scharpf.de>)
Responses Re: Password encryption method
Re: Password encryption method
List pgsql-general
On Mon, Jan 22, 2007 at 20:25:48 +0100,
  Bertram Scharpf <lists@bertram-scharpf.de> wrote:
>
> What I want to do is the following:
>
>   1. Login in from a program on a client as a particualar user.

For this case you shouldn't need to do anything tricky as long as the user
is login in as themselves. Just prompt the user for their password and use it
when you open a connection to the database. If you are trying to have the
program login without the user being able to steal or borrow the credentials,
then you have a serious design flaw.

>   2. Login from a series of scripts run by Apache on localhost
>      ('trust' authentication method). Of course, I won't hand the
>      password through web pages. Therefore I store something like a
>      'session cookie' in a table. Next time I log in as a superuser,
>      read the appropriate entry and immediately do a "set session
>      autorization". The first step can be done in two ways: (a) I write
>      a special login routine, (b) I log in as any other script and do
>      the password check against pg_authid using the function I proposed.

If you use trust, be sure to limit that authentication rule to expected
IP addresses and take steps to prevent spoofed packets from getting into
your network. If the web server is running on the same machine as the DB,
then consider using ident authentication and connecting using domain sockets.
(This is available under Windows.)

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: Tracking database activity
Next
From: Tom Lane
Date:
Subject: Re: too many trigger records found for relation "item" - what's that about??