So Pavel, are are saying there is no such thing as Session ID in PostgreSQL DB at all? Everything is tight to the process, session is accociated with, so in essence pid is session id?
There is backendId and processid, but these id are valid only for one session, and after logout these ids are invalid - usually they are used for fast access to static shared arrays - PGPROC array and similar - mainly for info about snapshots and locks. These arrays are static - new sessions immediately reuse space after destroyed sessions.
But there are not any info comparable with session id on web applications. It is significantly different architecture - fast, simply and different.
I understand the idea that for external communication you rely on SSL. However, how about me opening psql prompt into the database directly from my Linux box, my db is installed at? I thought, it would be considered local connection and would not go through the SSL channels. If that is the case, here we would be dealing with Session IDs belonging to DB itself, not OpenSSL.
all necessary data are stored local in process memory. No session ID is required.
Pavel
Please, correct me if I'm wrong.
Thanks,
Oleg
On Sun, Dec 20, 2015 at 11:28 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
oleg yusim <olegyusim@gmail.com> writes: > Got it, thanks... Now, is it any protection in place currently against > replacing Session ID (my understanding, it is kept in memory, belonging to > the session process) or against guessing Session ID (i.e. is Session ID > generated using FIPS 140-2 compliant algorithms, or anything of that sort)?
I don't think Postgres even has any concept that matches what you seem to think a Session ID is.
If you're looking for communication security/integrity checking, that's something we leave to other software such as SSL.
