Alvaro Herrera <alvherre@commandprompt.com> writes:
> Andrew Gierth wrote:
>> 2. The server accepts either the old-style or the secure cancel
>> request from the client, but doesn't allow old-style requests
>> once a valid secure request has been seen.
> Hmm, I think there should be a way to turn off acceptance of old-style
> without necessarily requiring a new-style request. Otherwise, how are
> you protected from DoS if you have never sent a cancel request at all?
Assuming you were using SSL, it's hard to see how an attacker is going
to get your cancel key without having seen a cancel request.
However, I dislike Andrew's proposal above even without that issue,
because it means *still more* changeable state that has to be magically
shared between postmaster and backends. If we want to have a way for
people to disable insecure cancels, we should just have a postmaster
configuration parameter that does it.
Also, this whole proposal has gotten far past what I'd consider a
sanely back-patchable thing. Don't bother thinking about whether it
will go into pre-8.4 code.
regards, tom lane