Thread: Users and session ids

Users and session ids

From

"C G"

Date:

10 December 2003, 08:55:33

Dear All,

I wonder if anyone can advise me with this problem.

1. A user logs into the database (through web, webservice, some other piece
of software) - connect(user="joe",passwd="blogs")
2. We generate a random session key which will expire in 1 hour. Put this in
table (user, SessKey, time).
3. Give key to user.
4. User wants to do something else, so passes us the session key.
5. How do we use this session key to log the user into the database, i.e.
how do we get the username and passwd to enable:
connect(user="joe",passwd="blogs").

Many thanks

Colin

_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection
http://www.msn.co.uk/specials/btbroadband

Re: Users and session ids

From

"Uwe C. Schroeder"

Date:

10 December 2003, 09:33:58

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


You've got to have some kind of "middleware". Apache, custom, whatever.
Basically this piece of middleware gets the session key.
Have the middleware (using a common login) retrieve the ser (and password)
drom the database table and authenticate the user.


On Wednesday 10 December 2003 01:55 am, C G wrote:
> Dear All,
>
> I wonder if anyone can advise me with this problem.
>
> 1. A user logs into the database (through web, webservice, some other piece
> of software) - connect(user="joe",passwd="blogs")
> 2. We generate a random session key which will expire in 1 hour. Put this
> in table (user, SessKey, time).
> 3. Give key to user.
> 4. User wants to do something else, so passes us the session key.
> 5. How do we use this session key to log the user into the database, i.e.
> how do we get the username and passwd to enable:
> connect(user="joe",passwd="blogs").
>
> Many thanks
>
> Colin
>
> _________________________________________________________________
> Tired of 56k? Get a FREE BT Broadband connection
> http://www.msn.co.uk/specials/btbroadband
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
>                http://archives.postgresql.org

- --
    UC

- --
Open Source Solutions 4U, LLC    2570 Fleetwood Drive
Phone:  +1 650 872 2425        San Bruno, CA 94066
Cell:   +1 650 302 2405        United States
Fax:    +1 650 872 2417
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/1vZ3jqGXBvRToM4RAv+pAJ0bzCNwhsHxoCk36lXbppy8oQ7C6QCcD4H5
GKM2nyxIaOgp98liPyjKk8w=
=qF5p
-----END PGP SIGNATURE-----

Re: Users and session ids

From

"Keith C. Perry"

Date:

10 December 2003, 14:27:56

Quoting C G <csgcsg39@hotmail.com>:

> Dear All,
>
> I wonder if anyone can advise me with this problem.
>
> 1. A user logs into the database (through web, webservice, some other piece
> of software) - connect(user="joe",passwd="blogs")
> 2. We generate a random session key which will expire in 1 hour. Put this in
>
> table (user, SessKey, time).
> 3. Give key to user.
> 4. User wants to do something else, so passes us the session key.
> 5. How do we use this session key to log the user into the database, i.e.
> how do we get the username and passwd to enable:
> connect(user="joe",passwd="blogs").
>
> Many thanks
>
> Colin

Colin,

For the web, if you are running apache and mod_perl, take a look at the
PosgreSQL authentication modules on CPAN.org.  In particular, anything that
deals with "cookie tracking" or authentication with cookies would be a start.

Of coures there are similar modules/methods for the other PG supported languages
as well.


--
Keith C. Perry, MS E.E.
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com

____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com

Re: Users and session ids

From

Shridhar Daithankar

Date:

11 December 2003, 05:56:18

C G wrote:

> Dear All,
>
> I wonder if anyone can advise me with this problem.
>
> 1. A user logs into the database (through web, webservice, some other
> piece of software) - connect(user="joe",passwd="blogs")
> 2. We generate a random session key which will expire in 1 hour. Put
> this in table (user, SessKey, time).
> 3. Give key to user.
> 4. User wants to do something else, so passes us the session key.
> 5. How do we use this session key to log the user into the database,
> i.e. how do we get the username and passwd to enable:
> connect(user="joe",passwd="blogs").

It is involved at multiple steps.

1. Use a connection pool, all connecting as superuser
2. Authenticate user with opening a new connection
3. Store a map of user session key v/s username/userid in application.
4. Use set session authorization after verifying the key.

It could have been good if postgresql could authenticate over an existing
connection or make set session authorisation accept username/password. But
anyways.. that is not such a big hassle except for the fact that each
authorisation costs starting/killing one connection

  HTH

  Shridhar