Andreas wrote:
> I asked elsewhere about the best way to store db credentials within a
> user-session of a web-app.
>
> It appeared that it was for everybody but me evident that instead of
> heaving a db-role+passwd for every user of an application it was better
> to have just 1 set of db-credentials for the application and recreate a
> user management within the app instead using the existing user handling
> of the dbms.
>
> That way the app checks the user's password as a md5 in some table and
> remembers "user is logged in" for later. The actual queries would be
> done with a common set of real db credentials.
>
> Pro: Noone could bypass the app and use e.g. pgAdmin to access the DB
> instead of the app.
>
> Con: A bug in the app could give anyone the access level of the app's
> credentials which might offer admin rights if such power is needed at
> least for some users.
>
>
> What's your opinion?
You forgot the most important pro:
If the web application server uses a single database user, you can
use connection pooling, i.e. reuse connections instead of maintaining
one connection per database user. This will boost performance.
True, you could have a connection pool and use ALTER SESSION AUTHORIZATION
to become a certain database user for one request, but that means
that the application server login user must be a superuser, which is
a terrible idea.
Yours,
Laurenz Albe
