Re: Users and session ids - Mailing list pgsql-general

From Shridhar Daithankar
Subject Re: Users and session ids
Date
Msg-id 3FD814E7.7080105@myrealbox.com
Whole thread Raw
In response to Users and session ids  ("C G" <csgcsg39@hotmail.com>)
List pgsql-general
C G wrote:

> Dear All,
>
> I wonder if anyone can advise me with this problem.
>
> 1. A user logs into the database (through web, webservice, some other
> piece of software) - connect(user="joe",passwd="blogs")
> 2. We generate a random session key which will expire in 1 hour. Put
> this in table (user, SessKey, time).
> 3. Give key to user.
> 4. User wants to do something else, so passes us the session key.
> 5. How do we use this session key to log the user into the database,
> i.e. how do we get the username and passwd to enable:
> connect(user="joe",passwd="blogs").

It is involved at multiple steps.

1. Use a connection pool, all connecting as superuser
2. Authenticate user with opening a new connection
3. Store a map of user session key v/s username/userid in application.
4. Use set session authorization after verifying the key.

It could have been good if postgresql could authenticate over an existing
connection or make set session authorisation accept username/password. But
anyways.. that is not such a big hassle except for the fact that each
authorisation costs starting/killing one connection

  HTH

  Shridhar

pgsql-general by date:

Previous
From: CSN
Date:
Subject: sequences not renamed with tables
Next
From: John Gibson
Date:
Subject: Storing Snapshot Data